ShadowPad Malware Detection: Backdoor Popular Among Chinese Clusters of Espionage Activity

ShadowPad is a modular backdoor highly popular among China-located threat actors, including such clusters of espionage activity as BRONZE UNIVERSITY, BRONZE RIVERSIDE, BRONZE STARLIGHT, and BRONZE ATLAS.

The malware is used to download further malicious payloads, opening the way to wider exploitation potential. According to the research data, the malware traces its roots back to the PlugX malware.

Detect ShadowPad Malware

To proactively defend organizations against new ShadowPad malware samples, SOC Prime has released a unique, context-enriched Sigma rule:

Possible Jetbrains Launcher Proxy Execution (via process_creation)

This detection rule is compatible with 24 market-leading security and analytics platforms and is aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic represented by the Signed Binary Proxy Execution technique (T1218).

Experienced threat hunters would make a valuable asset to our Developers Program, where they can increase their threat hunting velocity and contribute to collaborative cyber defense together with other 23,000+ SOC professionals.

Get the full list of Sigma, Snort, and YARA rules associated with ShadowPad malware attacks by clicking the Detect & Hunt button. Threat hunters, detection engineers, and other InfoSec practitioners striving to improve the organization’s cybersecurity posture can browse a vast library of detection content items enhanced with relevant threat context by hitting the Explore Threat Context.

Detect & Hunt Explore Threat Context

ShadowPad Malware Description

ShadowPad is a sophisticated, regularly updated modular backdoor in shellcode format with a diverse set of capabilities, popular among threat actors for its cost-effectiveness. The backdoor’s each plugin contains specific functionality and is widely used by China-backed APTs to establish a long-term presence in breached environments in their espionage campaigns, adapting the malware to their current needs. The ongoing analysis of ShadowPad samples showed that the malware is a remote access trojan (RAT) that enables attackers to run arbitrary commands and download and launch next-stage payloads.

ShadowPad emerged in 2015, attracting hackers with its rich functionality, including the ability to drop and run additional payloads, communicate with a command-and-control server, modify registries, and alter the number of utilized plugins. ShadowPad, throughout its existence, was noticed in attacks of several China-linked espionage clusters, most recently in BRONZE UNIVERSITY’s campaign that overlapped with the malicious activity of the BRONZE STARLIGHT group within the same compromised network.

To stay abreast of emerging threats and enhance your hunt for signs of compromises, join the Detection as Code platform and drive immediate value from the near real-time detection content delivery accompanied by automated threat hunting and content management capabilities.