Over 80 ShadowPad malware C2 servers unmasked

VMware Threat Analysis Unit (TAU) have uncovered 85 command-and-control (C2) servers supported by ShadowPad malware since September 2021.

ShadowPad is a modular backdoor known among China-based threat actors, including such clusters of espionage activities.

The malware can also be used to download other malicious payloads, paving the way for wider exploitation. Research data shows that the root of the malware can be traced back to the PlugX malware.

To detect 85 C2 servers, the researchers studied three ShadowPad variants that used TCP, UDP and HTTP(S) protocols for C2 communication.

VMware researchers explained that an analysis of the three ShadowPad artefacts were used by Winnti, Tonto Team, and an emerging threat cluster codenamed Space Pirates made it possible to detect the C2 servers by searching the list of open hosts generated by a tool called ZMap.

VMware also detected Spyder and ReverseWindow malware samples communicating with ShadowPad C2 IP addresses. The two malware samples are considered malicious tools used by APT41 (aka Winnti) and LuoYu. Overlaps were also observed between the Spyder sample and a worker component of the threat actor’s Winnti 4.0 trojan.

The sources for this piece include an article in TheHackerNews.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web