Tag: shadowpad

16 Attack Reports | 0 Vulnerabilities

Attack reports

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpa…
shadowpad
godzilla
ringq
vshell
2026-04-30
exchange server compromise
godzilla webshell
noodlerat
proxylogon exploitation
Published: April 30, 2026
Linked vulnerabilities : CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 44

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various…
aitm
shadowpad
poisonplug.shadow
dns hijacking
china-nexus
darknimbus
wizardnet
traffic manipulation
2026-02-05
dknife
gateway-monitoring
Published: February 5, 2026
Downloadable IOCs: 80

ShadowRelay: New Modular Backdoor in the Public Sector

A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and ca…
backdoor
apt
espionage
modular
government
CVE-2021-34473
shadowpad
CVE-2021-31207
CVE-2021-34523
shadowpad light
exchange
mythic agent
2026-01-23
donnect
packet injection
shadowrelay
Published: January 23, 2026
Linked vulnerabilities : CVE-2021-34473, CVE-2021-31207, CVE-2021-34523
Downloadable IOCs: 5

Targets high value telecommunications infrastructure in South Asia

UAT-7290, a sophisticated threat actor active since 2022, is targeting critical infrastructure entities in South Asia, particularly telecommunications providers. The group's arsenal includes malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 conducts extensive reconnai…
espionage
shadowpad
telecommunications
bulbature
china-nexus
2026-01-08
driveswitch
redleaves
rushdrop
silentraid
Published: January 8, 2026
Downloadable IOCs: 3

Ink Dragon's Relay Network and Stealthy Offensive Operation

Check Point Research has identified a new wave of attacks by the Chinese threat actor Ink Dragon, targeting government entities in Europe, Southeast Asia, and South America. The actor builds a victim-based relay network using a custom ShadowPad IIS Listener module, turning compromised servers into …
espionage
shadowpad
government targets
chinese threat actor
finaldraft
iis exploitation
2025-12-16
relay network
stealthy operations
Published: December 16, 2025
Downloadable IOCs: 16

Earth Entries alive and kicking

Earth Estries, a China-nexus APT actor, has launched a new campaign exploiting a recent WinRAR vulnerability. The attack chain involves multiple stages, including the use of encrypted stubs, hijacked DLLs, and fake PDFs with ADS streams. The group, known for using implants like Snappybee and Shadow…
shadowpad
winrar
snappybee
CVE-2025-8088
2025-10-28
Published: October 28, 2025
Linked vulnerabilities : CVE-2025-8088
Downloadable IOCs: 10

ToolShell Used to Compromise Telecoms Company in Middle East

China-based attackers exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a Middle Eastern telecoms company and government agencies in Africa and South America. The attackers deployed malware such as Zingdoor, ShadowPad, and KrustyLoader, which have been associated with Chinese thr…
sliver
shadowpad
krustyloader
toolshell
warlock
2025-10-23
telecoms
zingdoor
Published: October 23, 2025
Downloadable IOCs: 0

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

The research outlines China-nexus threat actors targeting SentinelOne and other organizations between 2024 and 2025. It details intrusions into an IT services company managing SentinelOne's hardware logistics and reconnaissance of SentinelOne's servers. The attacks involved ShadowPad malware and a …
obfuscation
CVE-2024-1709
cyberespionage
backdoors
reconnaissance
shadowpad
infrastructure
CVE-2023-46747
CVE-2024-8190
CVE-2024-8963
vulnerabilities
unc5174
2025-06-10
apt15
goreshell
nailaolocker
nimbo-c2
Published: June 10, 2025
Linked vulnerabilities : CVE-2024-8190 (CVSS 7.2), CVE-2024-8963 (CVSS 9.1), CVE-2024-1709, CVE-2023-46747
Downloadable IOCs: 24

The Persistent Threat of Salt Typhoon: Tracking Exposures of Potentially Targeted Devices

Salt Typhoon, a Chinese state-sponsored threat actor, has been targeting major telecommunications providers worldwide by exploiting vulnerabilities in network devices. This analysis tracks global exposures of internet-facing devices associated with Salt Typhoon activity over six months, including S…
network devices
CVE-2024-21887
CVE-2023-46805
shadowpad
telecommunications
vulnerability exploitation
CVE-2023-48788
CVE-2022-3236
masol rat
ivanti connect secure
2025-04-26
chinese state-sponsored
CVE-2023-20198
sophos firewall
CVE-2023-20273
cisco ios xe
exposure tracking
fortinet forticlient ems
Published: April 26, 2025
Downloadable IOCs: 0

You will always remember this as the day you finally caught FamousSparrow

ESET researchers uncovered new activity by the FamousSparrow APT group, including two undocumented versions of their SparrowDoor backdoor. The group compromised a US financial sector trade group and a Mexican research institute in July 2024. The new SparrowDoor versions show significant improvement…
shadowpad
modular malware
sparrowdoor
2025-03-26
hemigate
Published: March 26, 2025
Downloadable IOCs: 12

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The a…
apt
espionage
china
government
shadowpad
ngo
2025-03-21
spyder
sodamaster
think tank
i-soon
rpipecommander
Published: March 21, 2025
Downloadable IOCs: 12

Updated Shadowpad Malware Leads to Ransomware Deployment

A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing mult…
ransomware
plugx
shadowpad
impacket
manufacturing
anti-debugging
2025-02-20
dns over https
multi-factor authentication bypass
remote network attacks
intellectual property theft
cqhashdumpv2
Published: February 20, 2025
Downloadable IOCs: 0

MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur's Multi-Platform Attacks

Earth Minotaur, a threat actor targeting Tibetan and Uyghur communities, utilizes the MOONSHINE exploit kit to compromise Android devices and install the DarkNimbus backdoor. The exploit kit targets vulnerabilities in instant messaging apps, particularly WeChat, and has been updated with new exploi…
backdoor
android
shadowpad
2024-12-05
exploit kit
darknimbus
moonshine
Published: December 5, 2024
Downloadable IOCs: 0

Chinese APT Abuses VSCode to Target Government in Asia

The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain …
apt
exfiltration
cyberespionage
shadowpad
poisonplug.shadow
toneshell
2024-09-09
credentialtheft
reverseshell
visualstudiocode
Published: September 9, 2024
Downloadable IOCs: 17

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn
Published: August 2, 2024
Linked vulnerabilities : CVE-2018-0824
Downloadable IOCs: 13

China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence

python
plugx
lsass
trojan
2024-06-18
sygnia
c server
shadowpad
wmiexec
virustotal
earthworm
impacket
f5 bigip
command
f5 appliance
svchost
velvet ant
wireshark
guard
protect
Published: June 18, 2024
Downloadable IOCs: 5
Click here to see more Attack Reports