SHADOWPAD: A MASTERPIECE OF PRIVATELY SOLD MALWARE IN CHINESE ESPIONAGE
Show in Graph
Image Description
Common Information
Type Value
UUID e0166df9-30b9-4dd2-ba2a-cdb550cfdcfc
Fingerprint aa8354ab1281f6b2bbee15014eb86b7d370ec25c92f415e3e677fa8cbe6bdc92
Analysis status DONE
Considered CTI value 2
Text language
Published Aug. 12, 2021, 2:52 p.m.
Added to db April 14, 2024, 8:18 a.m.
Last updated Aug. 31, 2024, 1:58 a.m.
Headline SHADOWPAD: A MASTERPIECE OF PRIVATELY SOLD MALWARE IN CHINESE ESPIONAGE
Title SHADOWPAD: A MASTERPIECE OF PRIVATELY SOLD MALWARE IN CHINESE ESPIONAGE
Detected Hints/Tags/Attributes 134/3/73
Source URLs
Redirection Url
Details Source https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf
URL Provider
Details Provider Source level domain
Details sentinelone.com www.sentinelone.com
Attributes
Details Type #Events CTI Value
Details CVE 6 
cve-2019-9489
Details CVE 10 
cve-2020-8468
Details Domain 177 
blog.trendmicro.com
Details Domain 3 
st.drweb.com
Details Domain 19 
cybersecurity.att.com
Details Domain 403 
securelist.com
Details Domain 105 
web.archive.org
Details Domain 2 
www.hackbase.com
Details Domain 111 
www.justice.gov
Details Domain 2 
www.mghacker.com
Details Domain 202 
krebsonsecurity.com
Details Domain 1 
www.ncph.net
Details Domain 1 
www.51wendang.com
Details Domain 262 
www.welivesecurity.com
Details Domain 25 
content.fireeye.com
Details Domain 53 
blog.avast.com
Details Domain 641 
nvd.nist.gov
Details Domain 7 
hello.global.ntt
Details Domain 604 
www.trendmicro.com
Details Domain 768 
www.youtube.com
Details Domain 98 
www.secureworks.com
Details Domain 4127 
github.com
Details Domain 15 
labs.sentinelone.com
Details File 1 
apt_backdoor_and_its_relation_to_plugx_en.pdf
Details File 1 
24948.html
Details File 1 
blogview.asp
Details File 1 
wickedrose_andncph.pdf
Details File 2 
news_view.asp
Details File 1 
yewul.htm
Details File 1 
operation-endtrade-finding-multi-stage-backdoors-that-tick.html
Details File 5 
vb2020.vb
Details File 1 
kazakhstan_and_kyrgyzstan_en.pdf
Details File 3 
1_en.pdf
Details File 1 
winnti-group.pdf
Details File 1 
victims-via-live-streaming.html
Details Github username 4 
sentinelabs
Details sha1 2 
b41948daacd4c081a58a14aa51c37af21738447b
Details sha1 1 
9f9d96e99cef99cbfe8d02899919a7f7220f2273
Details sha1 1 
2e6ef72d05b395224a03a73a50eaee1c9dc68297
Details Pdb 2 
sosvr.pdb
Details Threat Actor Identifier - APT 522 
APT41
Details Url 1 
https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-not-
Details Url 1 
https://st.drweb.com/static/new-www/news/2020/october/study_of_the_shadowpad_
Details Url 4 
https://cybersecurity.att.com/blogs/labs-research/tracking-down-the-author-of-the-plugx-rat
Details Url 4 
https://securelist.com/winnti-more-than-just-a-game/37029
Details Url 1 
https://securelist.com/winnti-returns-with-plugx/66960
Details Url 1 
https://web.archive.org/web/20090925075518/http:/www.hackbase.com:80
Details Url 1 
https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-
Details Url 1 
https://web.archive.org/web/20060906223841/http:/www.mghacker.com:80
Details Url 1 
https://krebsonsecurity.com/wp-content/uploads/2012/11/wickedrose_andncph.pdf
Details Url 1 
https://web.archive.org/web/20070519130046if_/http://www.ncph.net/newncph
Details Url 1 
https://www.51wendang.com/doc/02e6c3141d94fc4bd07015c0
Details Url 1 
https://web.archive.org/web/20060614163159/http://www.ncph.net/yewul.htm
Details Url 2 
https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia
Details Url 5 
https://securelist.com/shadowpad-in-corporate-networks/81432
Details Url 1 
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-
Details Url 4 
https://content.fireeye.com/apt-41/rpt-apt41
Details Url 1 
https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-
Details Url 1 
https://www.trendmicro.com/en_us/research/19/k/operation-endtrade-finding-multi-stage-backdoors-that-tick.html
Details Url 1 
https://nvd.nist.gov/vuln/detail/cve-2019-9489
Details Url 1 
https://nvd.nist.gov/vuln/detail/cve-2020-8468
Details Url 1 
https://vb2020.vblocalhost.com/conference/presentations/tonto-team-exploring-the-ttps-of-an-advanced-threat-
Details Url 1 
https://st.drweb.com/static/new-www/news/2020/july/study_of_the_apt_attacks_on_state_institutions_in_
Details Url 3 
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups
Details Url 1 
https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-
Details Url 2 
https://st.drweb.com/static/new-www/news/2021/march/backdoor.spyder.1_en.pdf
Details Url 1 
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-
Details Url 1 
https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-
Details Url 4 
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop
Details Url 1 
https://www.youtube.com/watch?v=ycwyc6sctys&t=1347s
Details Url 1 
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
Details Url 1 
https://github.com/sentinelabs/shadowpad
Details Url 4 
https://labs.sentinelone.com