VMware Threat Analysis Unit (TAU) have uncovered 85 command-and-control (C2) servers supported by ShadowPad malware since September 2021.
ShadowPad is a modular backdoor known among China-based threat actors, including such clusters of espionage activities.
The malware can also be used to download other malicious payloads, paving the way for wider exploitation. Research data shows that the root of the malware can be traced back to the PlugX malware.
To detect 85 C2 servers, the researchers studied three ShadowPad variants that used TCP, UDP and HTTP(S) protocols for C2 communication.
VMware researchers explained that an analysis of the three ShadowPad artefacts were used by Winnti, Tonto Team, and an emerging threat cluster codenamed Space Pirates made it possible to detect the C2 servers by searching the list of open hosts generated by a tool called ZMap.
VMware also detected Spyder and ReverseWindow malware samples communicating with ShadowPad C2 IP addresses. The two malware samples are considered malicious tools used by APT41 (aka Winnti) and LuoYu. Overlaps were also observed between the Spyder sample and a worker component of the threat actor’s Winnti 4.0 trojan.
The sources for this piece include an article in TheHackerNews.