TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking
May 28, 2025, 1:19 p.m.
Description
The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the Asia-Pacific region since 2012, targeting Windows servers and MS-SQL servers. They operate an IRC server with over 2,000 affected IPs in 72 countries. The group uses various malware and tools, including Upm, SqlShell, Maggie, and Wgdrop. Their activities involve three stages: initial access and reconnaissance, backdoor deployment, and additional malicious behaviors. The group has connections to China and has been quietly stealing information for over 13 years without demanding ransom or releasing stolen data. Their persistent activity suggests preparation for potential large-scale attacks in the future.
Tags
Date
- Created: May 27, 2025, 11:59 p.m.
- Published: May 27, 2025, 11:59 p.m.
- Modified: May 28, 2025, 1:19 p.m.
Indicators
- c398ec81eb4387c4533729c457d98a7b2233438703604aa8c4985969c9f1614a
- b7c53ed199ec3579179d56481e97f1abfc8c8e91099088bcccbc38426440ddb8
- 96e2ca06361b9e93fd4f7efc8adf9d3d542dc6d404cc6f7e220bb2c20556a6f3
- 5ecc72048c4ef21bdf1fb0f4f6333c9d630de0881c20db768f87b0e9a3109da3
- 1b65de175a60ef778f745149af1f6f5da311037d9943f2888761839a46ee842a
- 211.204.100.20
- 210.127.211.40
- 121.178.180.210
- 114.202.2.32
- 1.234.4.115
- www.itembuy.org
- irc.itembuy.org
- abc.itembuy.org
Additional Informations
- British Indian Ocean Territory
- India
- Taiwan
- China
- Thailand
- Indonesia
- Germany
- United States of America