Skip to content

Hide Navigation Hide TOC

ShadowPad (2448a4e1-46e3-4c42-9fd1-f51f8ede58c1)

ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.

Cluster A Galaxy A Cluster B Galaxy B Level
ShadowPad (2448a4e1-46e3-4c42-9fd1-f51f8ede58c1) Tool ShadowPad (e089e945-a523-4d11-a135-396f9b6c1dc7) Malpedia 1
ShadowPad (2448a4e1-46e3-4c42-9fd1-f51f8ede58c1) Tool Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor 1
Charcoal Typhoon (3f8b7c98-7484-523f-9d58-181274e6fc8f) Microsoft Activity Group actor Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor 2
Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor BIOPASS (74c3ad69-1b71-4c26-a542-b25318e8d27c) RAT 2
FishMedley (f0e7f369-a67d-4361-9710-9987bb306e92) Threat Actor Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor 2
Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor Spyder (f6b1560d-ec3d-498a-aec0-6e27e9ff5d42) Tool 2
FunnySwitch (144f9fa1-f625-47ec-afde-bf8cedf6e949) Tool Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor 2
SprySOCKS (a7794449-0c91-4362-835a-fa39be515e20) Tool Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor 2
Cobalt Strike (ca44dd5e-fd9e-48b5-99cb-0b2629b9265f) RAT Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor 2
Earth Lusca (39150b30-61af-4d9c-9682-1595e145f3c1) Threat Actor I-Soon (3b5a049a-aa88-4550-89b6-aae31e312a8c) Surveillance Vendor 2
Cobalt Strike (ca44dd5e-fd9e-48b5-99cb-0b2629b9265f) RAT Cobalt Strike (1a1d3ea4-972e-4c48-8d85-08d9db8f1550) Malpedia 3
Cobalt Strike (ca44dd5e-fd9e-48b5-99cb-0b2629b9265f) RAT Private Cluster (aafea02e-ece5-4bb2-91a6-3bf8c7f38a39) Unknown 3
Cobalt Strike (ca44dd5e-fd9e-48b5-99cb-0b2629b9265f) RAT Private Cluster (3da22160-12d9-4d27-a99f-338e8de3844a) Unknown 3