Press Release

SentinelOne has released a new in-depth study of ShadowPad, malware planted in a legitimate server management software product used by hundreds of enterprises around the world.

ShadowPad is a privately-sold modular malware platform often used by various Chinese threat activity groups, and Shadowpad activity was spotted in the March 2021 attack on Microsoft Exchange servers and India’s national power grid.

The report delves into ShadowPad’s origin, usage and ecosystem, and discusses local personas possibly involved in the development of ShadowPad as an iterative successor to PlugX.

Key findings include:

It is likely that ShadowPad is a privately sold modular malware rather than a privately shared attack framework, and the seller is likely selling each plugin separately instead of offering a full bundle with all of the currently available plugins.

The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors. Some threat groups stopped developing their own backdoors after they gained access to ShadowPad, and ShadowPad is regularly updated with more advanced anti-detection and persistence techniques.

SentinelOne has identified at least five activity clusters of ShadowPad users since 2017: APT41, Tick & Tonto Team, Operation Redbonus, Operation Redkanku, Fishmonger. BARIUM (Rose and Zhang Haoran) was one of the earliest threat groups with access to ShadowPad. Aside from some smaller-scale attacks against the gaming industry, they were accountable for several supply chain attacks from 2017 to 2018. Some of their victims included NetSarang, ASUS, and allegedly, CCleaner.
Considering the long-term affiliation relationship between Rose and whg, Rose likely had high privilege access to – or was a co-developer of – ShadowPad, and other close affiliates in Chengdu were likely sharing resources. This could also explain why BARIUM was able to utilise a special version of ShadowPad in some of their attacks.

Another subgroup, LEAD, also used ShadowPad along with other backdoors to attack victims for both financial and espionage purposes. They were reported to attack electronic providers and consumers, universities, telecommunication, NGO and foreign governments.