© 2021 SentinelOne. All Rights Reserved.

ShadowPad:
the Masterpiece of Privately Sold Malware 
in Chinese Espionage

Yi-Jhen Hsieh, Joey Chen



© 2021 SentinelOne. All Rights Reserved.© 2021 SentinelOne. All Rights Reserved.

Yi-Jhen Hsieh
Threat Intelligence Researcher @SentinelOne

Joey Chen
Threat Intelligence Researcher @SentinelOne



© 2021 SentinelOne. All Rights Reserved.

Outline
▪ From PlugX to ShadowPad: the history
▪ Technical overview
▪ The business model of ShadowPad
▪ Which threat actors are using ShadowPad?
▪ Landscape shift: from developing backdoors to acquiring backdoors
▪ Mitigation advice



© 2021 SentinelOne. All Rights Reserved.

From PlugX to 
ShadowPad:
the history



© 2021 SentinelOne. All Rights Reserved.

What is ShadowPad?
▪ A modular backdoor in shellcode format.
▪ The plugins can be plugged or unplugged remotely during runtime.

▪ It is used in several well-known campaigns as the primary backdoor for intrusion.



© 2021 SentinelOne. All Rights Reserved.

Which threat actors are using ShadowPad?

WINNTI/APT41

Operation Redbonus

Tick and Tonto Team

Operation Redkanku

Fishmonger

LuckyMouse

Tropic Trooper

CCleaner

ShadowHammer NetSarang
JP JAXA



© 2021 SentinelOne. All Rights Reserved.

ShadowPad: A successor to PlugX?

7

ShadowPad PlugX

Shellcode Yes Yes

Plugin-based Yes Yes

Remote plugin 
management Yes No

Distribution Privately shared Widely used



© 2021 SentinelOne. All Rights Reserved.

ShadowPad: A successor to PlugX? (cont.)

8

▪ The relationship between ShadowPad and PlugX
– Comparisons on their codes have been discussed[1]
– They share the same project name “SC” according to the PDB strings of their controllers

• PlugX Controller: D:\My2014\SController(5.6)(天道)(匙)\SC\
• ShadowPad Controller: X:\My2015\SC(1.1)\x64\Release\SoSvr.pdb 

[1] https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf



© 2021 SentinelOne. All Rights Reserved.

The alleged author of PlugX: whg

9

▪ whg aka 无花果, based in the Sichuan province of China
▪ His nickname was found in some of the PlugX samples[2]:

– C:\Documents and Settings\whg\桌面\Plug\FastGui(LYT)\Shell\Release\Shell.pdb
– C:\Users\whg\Desktop\Plug\FastGui(LYT)\Shell\Release\Shell.pdb

▪ He had a solid track record of developing backdoors and hacking tools, while he claimed 
to sell some “shared software”.
– Also, he had deep connection with Rose, 

one of the threat actors in APT41.

[2] https://cybersecurity.att.com/blogs/labs-research/tracking-down-the-author-of-the-plugx-rat



© 2021 SentinelOne. All Rights Reserved.

Technical overview



© 2021 SentinelOne. All Rights Reserved.

The modular design

11



© 2021 SentinelOne. All Rights Reserved.

The shellcode loader

12



© 2021 SentinelOne. All Rights Reserved.

The plugins

13

▪ Every plugin is decrypted, loaded into memory, and referenced in a LinkedList.
▪ Additional plugins could be uploaded from the C&C servers.

struct plugin_node {

plugin_node* previous_node;

plugin_node* next_node;

DWORD referenced_count;

DWORD plugin_timestamp;

DWORD plugin_id;

DWORD field_0;

DWORD field_1;

DWORD field_2;

DWORD field_3;

DWORD plugin_size;

LPVOID plugin_base_addr;

LPVOID plugin_export_function_table_addr;

}



© 2021 SentinelOne. All Rights Reserved.

The start function of a plugin

14

▪ 0x01: Setup the export function table of the plugin
▪ 0x64: Setup the plugin
▪ 0x66: Return the plugin ID
▪ 0x67: Return the plugin name
▪ 0x68: Return the address of the export function table



© 2021 SentinelOne. All Rights Reserved.

22 unique plugins

15

Basic Set

• Root
• Plugins
• Config
• Install
• Online
• TCP
• HTTP
• UDP
• DNS

Utilities

• ImpUser
• PIPE
• Disk
• Process
• Servcie
• Register
• Shell
• PortMap
• Keylogger

• Screen
• Software
• Hardware
• RecentFiles



© 2021 SentinelOne. All Rights Reserved.

The configuration

16

Offset Data Type Column
0x00 WORD offset_product_key
0x02 WORD offset_note
0x04 WORD offset_binary_path
0x06 WORD offset_service_name (default: MyTest)
0x08 WORD offset_service_display_name (default: MyTest)
0x0A WORD offset_service_description (default: MyTest)
0x0C WORD offset_registry_key
0x0E WORD offset_registry_value
0x10 - 0x17 WORD offset_process_spawn_and_inject 1-4
0x18 - 0x37 WORD offset_c2 1-16
0x38 - 0x3F WORD offset_proxy_type 1-4
0x40 - 0x4F DWORD DNS 1-4
0x50 DWORD timeout_multiplier



© 2021 SentinelOne. All Rights Reserved.

New version: the infection chain

17

log.exe
legitimate executable

log.dll
obfuscated loader

log.dat
encrypted payload

DLL side-loading reads and decrypts

▪ First found in 2020 by PT security[3]

[3] https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id6



© 2021 SentinelOne. All Rights Reserved.

New version, more obfuscation

18

▪ First found in 2020 by PT security[3]

▪ The control flow is flattened by instruction



© 2021 SentinelOne. All Rights Reserved.

The configuration of the new version

19

Offset Data Type Column
0x00 WORD offset_date (product key)
0x02 WORD offset_note
0x04 WORD offset_install_directory
0x06 WORD offset_executable_name
0x08 WORD offset_loader_name
0x0A WORD offset_payload_name
0x0C WORD offset_service_name
0x0E WORD offset_service_display_name
0x10 WORD offset_service_description
0x12 WORD offset_reg_key
0x14 WORD offset_reg_value
0x16 - 0x1D WORD offset_process_spawn_and_inject 1-4
0x1E - 0x4F WORD offset_c2 1-16
0x50 - 0x57 WORD offset_proxy_type 1-4
0x58 - 0x67 DWORD DNS 1-4
0x68 DWORD timeout_multiplier



© 2021 SentinelOne. All Rights Reserved.

The controller

20

▪ Version 1.0, 2015
▪ Written in Delphi
▪ All-in-one: 

builder + C&C listener



© 2021 SentinelOne. All Rights Reserved.

The management console

21

▪ Default plugins v.s. uploaded plugins
▪ The control pages of the plugins are fixed



© 2021 SentinelOne. All Rights Reserved.

The builder

22

▪ Campaign code
▪ Notes
▪ Anti-debugger settings
▪ Installation settings 

(service and registry)
▪ Process injection settings
▪ C&C servers
▪ Connection modes



© 2021 SentinelOne. All Rights Reserved.

The business model 
of ShadowPad



© 2021 SentinelOne. All Rights Reserved.

How flexible is the controller?

24

▪ The plugins are place in a directory.
▪ In theory, you can upload any plugin within the 

correct format.



© 2021 SentinelOne. All Rights Reserved.

How flexible is the controller?

25

▪ … but the user cannot interact with 
the plugins without an interface
– The interfaces are hardcoded in the 

controller
– No options to add a new interface



© 2021 SentinelOne. All Rights Reserved.

A piece of sold malware with extendibility

26

▪ ShadowPad is not extendible by the users except the original developer.
– Not originally designed as a framework.

▪ The developer can remove a plugin from the package easily.
– Just remove the plugins from the directory.



© 2021 SentinelOne. All Rights Reserved.

Selling the plugins separately

27

Basic set: Root, Plugins, Config, Install, Online, TCP, HTTP, UDP, DNS



© 2021 SentinelOne. All Rights Reserved.

Selling the plugins separately

28

A special version: packed by VMProtect, different plugin IDs 



© 2021 SentinelOne. All Rights Reserved.

Selling the plugins separately

29

With utility plugins embedded



© 2021 SentinelOne. All Rights Reserved.

Selling the plugins separately (cont.)

30

▪ Most of the samples do not have utility plugins embedded in them.
– Need to upload other plugins remotely through the controllers.
– The plugins are placed in the directory:

easy to be removed from a package

▪ Tick – an active user of ShadowPad – developed a tool with the same functionality of the 
plugin “Software” in an overlapped timeframe.
– Tick did not have access to that plugin while it was already available

▪ The plugins should be provided separately.
– Not given in a full bundle.



© 2021 SentinelOne. All Rights Reserved.

The business model of ShadowPad

31

▪ ShadowPad is a sold malware.
▪ The plugins need to be acquired separately.
▪ It is only sold to a limited set of users.

▪ Why is ShadowPad a good choice for the attackers:
– The cost to develop a stable backdoor/RAT is high.
– The plugins (functionalities) are complete, and the attackers can choose which they want.

• ShadowPad was the primary backdoor for long-term espionage in several campaigns.
– The use of a shared backdoor reduces the chance to be attributed.



© 2021 SentinelOne. All Rights Reserved.

Which threat actors 
are using 
ShadowPad?



© 2021 SentinelOne. All Rights Reserved.

Which threat actors are using ShadowPad?

WINNTI/APT41

Tick and Tonto Team

Operation Redbonus

33

Operation Redkanku

Fishmonger

LuckyMouse

Tropic Trooper



© 2021 SentinelOne. All Rights Reserved.

WINNTI/APT41

34

Two sub-groups of WINNTI/APT41

§ BARIUM (Tan Dailin aka Rose 
and Zhang Haoran)
– Against the gaming industry and several 

supply chain attacks, e.g., NetSarang, 
ASUS, and allegedly, CCleaner

§ LEAD (Chengdu 404 
Network Technology Co., Ltd)
– Attack for financial and 

espionage purposes



© 2021 SentinelOne. All Rights Reserved. 35

A hacking group that developed lots of 
tools and freely shared on NCPH 
websites

▪ They also declared that the source 
code was on sale

▪ Rose and whg have collaboration on 
malware development since 2006

What is NCPH

Rose likely had high privilege access – or 
was a co-developer – to ShadowPad



© 2021 SentinelOne. All Rights Reserved.

Tick and Tonto Team

36

▪ Two groups amalgamated into a new 
institution during the reorganization of PLA

▪ Started to use ShadowPad as their primary
backdoor for conducting intrusion

▪ TICK
– Sent spear phishing emails to deliver 

ShadowPad
▪ Tonto Team

– Exploited CVE-2019-9489 and CVE-2020-8468 
in Trend Micro’s security solutions to deliver 
ShadowPad



© 2021 SentinelOne. All Rights Reserved.

Customized tools for intrusion

37

Customized tools
▪ Modified mimikatz
▪ Screen capture tool
▪ Packet transmission tool
▪ Tool to list the software installed on a computer

– ShadowPad has a plugin with the same functionality
▪ VBScript command executor tool

– Generate a payload of VBScript
– Bypass TrendMicro products



© 2021 SentinelOne. All Rights Reserved.© 2021 SentinelOne. All Rights Reserved. 38

Operation Redbonus
§ Against Indian country

§ Other backdoors in use, such 
as Whitebird, IceFog and a 
customized instance of PCShare



© 2021 SentinelOne. All Rights Reserved.© 2021 SentinelOne. All Rights Reserved.

Operation Redkanku
§ All of the C&C servers had a

self-signed certificate

§ Some related samples were
documented to be a part of t
he ProxyLogon attacks



© 2021 SentinelOne. All Rights Reserved.© 2021 SentinelOne. All Rights Reserved.

Fishmonger
§ New version of ShadowPad which had

updates and more 
advanced obfuscation techniques

§ They are interested in COVID-
19 research in Hong Kong, Taiwan,
India and the US.

§ ShadowPad and Spyder
as their primary backdoors for
long-term monitoring

§ A self-signed certificate is installed 
on several C&C servers of 
ShadowPad and Spyder



© 2021 SentinelOne. All Rights Reserved.

Landscape shift



© 2021 SentinelOne. All Rights Reserved.

From developing backdoors to acquiring backdoors

42

▪ Past
– Chinese threat actors develop their own tool sets based on their needs during operations

▪ Now
– The popularity of malware such as ShadowPad and CobaltStrike among Chinese espionage 

groups
– Here is an example about Tick's timeline of backdoor



© 2021 SentinelOne. All Rights Reserved.

The benfit of acquiring backdoors

43

▪ Lower the cost
– Reduces the cost of a well-designed piece of malware
– Reduces the human resource to develop the malware in-house

▪ Keeps enhancing the stability and usability
– The service provider will provide newest version of the backdoor with new features added
– Unlike much of the commodity malware found in cybercriminal circles or underground forums



© 2021 SentinelOne. All Rights Reserved.

Mitigation advice



© 2021 SentinelOne. All Rights Reserved.

Mitigation advice for ShadowPad

45

▪ Audit the services and the registries to find any suspicious items

▪ Monitor dynamic behaviors of “spawning a new process” and “process injection”

▪ Apply memory forensics periodically to identify malware which resides in-memory

▪ Adopt an Endpoint Detection and Response (EDR) solution across your organization

▪ A well consolidated monitoring capability provides visibility into cyber threats



© 2021 SentinelOne. All Rights Reserved.

Conclusion 



© 2021 SentinelOne. All Rights Reserved.

Conclusion

47

▪ Why do the actors choose to use ShadowPad?
– Experienced developers to develop something much better with active updates
– Reducing the cost of operation and development
– Harder for security company to do further research

▪ Why ShadowPad is not disappearing?
– Still under updates with more advanced obfuscation and persistence techniques
– A powerful backdoor with more functionalities so good for long-term espionage operations and

keep stealthy under the radar
▪ How ShadowPad affect threat intelligence?

– Need to develop more systematic ways for attribution



© 2021 SentinelOne. All Rights Reserved.

sentinelone.com

Thank You