{ "id": "84b7e465-2cbf-4679-987f-fecdc613ce78", "created_at": "2026-04-06T03:36:52.883353Z", "updated_at": "2026-04-10T03:33:57.080543Z", "deleted_at": null, "sha1_hash": "2f6ebd7fd80e3c9cdc3d6f95db081fe0d58daf07", "title": "ShadowPad: new activity from the Winnti group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2642419, "plain_text": "ShadowPad: new activity from the Winnti group\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-06 03:21:07 UTC\r\nContents\r\nIntroduction\r\nNetwork infrastructure\r\nDetecting ShadowPad\r\nLinks to other groups\r\nTA459\r\nBisonal\r\nVictims\r\nActivity\r\nAnalysis of malware and tools\r\nAnalyzing SkinnyD\r\nAnalyzing xDII\r\nDropper\r\nxDll backdoor\r\nShadowPad\r\nShadowPad loader and obfuscation\r\nShadowPad modules\r\nShadowPad configuration\r\nNetwork protocol\r\nPython backdoor\r\nUtilities\r\nConclusion\r\nIntroduction\r\nDuring threat research in March 20201, PT Expert Security Center specialists found a previously unknown backdoor and\r\nnamed it xDll, based on the original name found in the code. As a result of a configuration flaw of the malware's command\r\nand control (C2) server, some server directories were externally accessible. The following new samples were found on the\r\nserver:\r\nShadowPad\r\nA previously unknown Python backdoor\r\nUtility for progressing the attack\r\nEncrypted xDII backdoor\r\nShadowPad is used by Winnti (APT41, BARIUM, AXIOM), a group that has been active since at least 2012. This state-sponsored group originates from China2\r\n. The key interests of the group are espionage and financial gain. Their core toolkit\r\nconsists of malware of their own making. Winnti uses complex attack methods, including supply chain and watering hole\r\nattacks. The group knows exactly who their victims are. They develop attacks very carefully and deploy their primary tools\r\nonly after detailed reconnaissance of the infected system. The group attacks countries all over the world: Russia, the United\r\nStates, Japan, South Korea, Germany, Mongolia, Belarus, India, and Brazil. The group tends to attack the following\r\nindustries:\r\nGaming\r\nSoftware development\r\nAerospace\r\nEnergy\r\nPharmaceuticals\r\nFinance\r\nTelecom\r\nConstruction\r\nEducation\r\nThe first attack with ShadowPad was recorded in 20173. This backdoor has been often used in supply chain attacks such as\r\nthe CCleaner4 and ASUS5 hacks. ESET released its most recent report about Winnti activities involving ShadowPad in\r\nJanuary 20206. We didn't find any connection with the current infrastructure. However, during research we found that the\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 1 of 26\n\nnew ShadowPad infrastructure had commonalities with infrastructures of other groups, which may mean that Winnti was\r\ninvolved in other attacks with previously unknown organizers and perpetrators.\r\nThis report contains a detailed analysis of the new network infrastructure related to ShadowPad, new samples of malware\r\nfrom the Winnti group, and also analysis of ties to other attacks possibly associated with the group.\r\nNetwork infrastructure\r\nDetecting ShadowPad\r\nInitially, when the xDll backdoor was analyzed (see Section 2.2), it could not be clearly tied to any APT group. The sample\r\nhad a very interesting C2 server, www.g00gle_jp.dynamic-dns[.]net, which potentially could indicate attacks against Japan.\r\nWhen we studied the network infrastructure and searched for similar samples, we found several domains with similar\r\nnames.\r\nFigure 1. Network infrastructure of the Winnti group at the initial stage of analysis\r\nThe domain names give reason to suspect that attacks also target South Korea, Mongolia, Russia, and the United States.\r\nWhen we studied the infrastructure further, we found several simple downloaders unfamiliar to us (see Section 2.1). They\r\ncontact related C2 servers, and in the response should receive a XORencrypted payload with key 0x37. The downloader we\r\nfound was named SkinnyD (Skinny Downloader) for its small size and bare-bones functionality. The URL structure and\r\nsome lines in SkinnyD make it very similar to the xDll backdoor.\r\nAt first, we could not obtain the payload for SkinnyD, because all C2 servers were inactive. But after a while, we found new\r\nsamples of the xDII backdoor. When we analyzed one of the samples, we found some public directories on its С2 server.\r\nThe file called x.jpg is an xDll backdoor encrypted with XOR with key 0x37. This suggests that xDll is a payload for\r\nSkinnyD.\r\nFigure 2. Structure of public directories on the discovered C2 server\r\nThe most interesting thing on the server is the contents of the \"cache\" directory.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 2 of 26\n\nFigure 3. Contents of the \"cache\" directory\r\nIt contains data about the victims and the malware downloaded to infected computers. The name of the victim file contains\r\nan MD5 hash of the MAC address for the infected computer sent by xDll; the file contents include the time of the last\r\nconnection to the C2 server. Based on the changes in the second part of the name of the malware file, server time might\r\nseem to be indicated in nanoseconds. But that cannot be true, since that would take us back all the way to March 1990.\r\nUltimately, we don't know why this time period was selected.\r\nIn the malware files, we found ShadowPad, a previously unknown Python backdoor, and utilities for progressing the attack.\r\nDetailed analysis of the malware and utilities is provided in Section 2.\r\nAt certain intervals, the attackers request information from infected computers via the xDII backdoor. This information is\r\nsaved to the file list.gif.\r\nWe should note that in the xDII samples we have, the Domain field contains the name of the domain where the infected\r\ncomputer is located. However, in the log that field for almost all computers contains the SID of the user whose name was\r\nused to launch xDII. That may be an error in the code of a certain xDII version, because this value does not provide any\r\nuseful information to the attackers.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 3 of 26\n\nFigure 4. Example of lines from the log (for detailed description of parameter values, see xDII analysis)\r\nGoing deeper into the network infrastructure, we found that many servers have the same chain of SSL certificates with the\r\nfollowing parameters:\r\nRoot: C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myCA,\r\nSHA1=0a71519f5549b21510 410cdf4a85701489676ddb\r\nBase: C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer,\r\nSHA1=2d2d79c478e92a7 de25e661ff1a68de0833b9d9b\r\nFigure 5. Parameters of the SSL certificate\r\nWe have encountered this certificate in several publications about ShadowPad attacks.\r\nThe first one is an investigation of the 2017 attack on CCleaner. Avast has provided details7 regarding the attack. A\r\nscreenshot, included there, shows the same certificate.\r\nThe second is a talk by FireEye researchers at Code Blue 2019 about cyberattacks against Japanese targets8. In one of the\r\nattacks, the researchers found the use of POISONPLUG (the name for ShadowPad used by FireEye). Analysis of the\r\ninfrastructure revealed the same certificate on ShadowPad C2 servers.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 4 of 26\n\nFigure 6. Slide from the FireEye presentation\r\nSearching for servers with this certificate helped us not only detect new ShadowPad samples and C2 servers, but also find\r\nconnections to other attacks previously not attributed to Winnti (see Section 1.2).\r\nAs a result, we found over 150 IP addresses with this certificate, or addresses where it had been installed previously. Of\r\nthese, 24 addresses were active at the time of writing of this article. There were also 147 domains related to those addresses.\r\nFor the domains, we found Winnti malware.\r\nDuring our research, the group's domains relocated from one IP address to another many times, which is indicative of active\r\nattack operations.\r\nHowever, the motive for using the same SSL certificate on almost all ShadowPad C2 servers was not clear. This may be the\r\nresult of having the same system image installed on the C2 servers, or else simple overconfidence.\r\nWe saw the same thing with certificates when researching the activity of the TaskMasters9 group. At some point, the\r\nattackers started installing self-signed certificates with identical metadata on their servers, which ultimately helped us in\r\nfinding their infrastructure.\r\nThe following figure shows distribution of detected IP addresses by location:\r\nFigure 7. Geolocation of C2 servers\r\nAbout half of the group's servers are located in Hong Kong. The IP addresses are distributed between 45 unique providers.\r\nMore than half of the servers are concentrated on the IP addresses of six providers, five of which are in Asia (Hong Kong,\r\nChina, and South Korea).\r\n1.2. Links to other groups\r\n1.2.1. TA459\r\nIn 2017, Proofpoint issued a report about attacks against targets in Russia and Belarus using ZeroT and PlugX.10 The report\r\nmentions the domain yandax[.]net, which was indirectly related to the infrastructure used in that attack. The domain was on\r\nthe same IP address as one of the PlugX servers. WHOIS data of that domain looks as follows:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 5 of 26\n\nFigure 8. Registrant lookup for the domain yandax[.]net\r\nIn the past few years, the email address dophfg@yahoo[.]com has been used to register several more domains.\r\nFigure 9. Domains with similar WHOIS data\r\nIn our study of ShadowPad infrastructure, we came across active servers linked to two domains from the group:\r\nwww.ertufg[.]com and www.ncdle[.]net. Those servers also had the SSL certificate typical of ShadowPad. In addition, we\r\nfound ShadowPad samples connecting to those domains. One of the samples had a rather old compilation date, July 2017.\r\nHowever, this time is probably not accurate, because the C2 server for it was registered in August 2018. It can also disguise\r\nitself as a Bluetooth Stack component for Windows by Toshiba named TosBtKbd.dll.\r\nFigure 10. Structure of domains related to ShadowPad\r\nHere we can make another inference. The domain yandax[.]net initially had a different email address in its WHOIS data:\r\nfjknge@yahoo[.]com. The same address was also used to register one of the NetTraveler C2 servers, namely, riaru[.]net.\r\nThat domain was used for attacks targeting the CIS and Europe. These attacks have been described by Proofpoint\r\nresearchers.11 It is also possible that the infrastructure was used by some other group to disguise its activities. However, the\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 6 of 26\n\nscope, targeted countries, and industries all overlap with those of the Winnti group. The connections are indirect and\r\nindividual in nature, but still provide reason to believe that all these attacks were carried out by the same group.\r\n1.2.2. Bisonal\r\nOn one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks in 2015–\r\n2020.\r\nFigure 11. ShadowPad and Bisonal domains sharing an IP address\r\nIn addition, we found a Bisonal sample with a direct relationship to the new ShadowPad infrastructure.\r\nFigure 12. Bisonal and ShadowPad infrastructure\r\nWe came across a presentation12 made at JSAC 2020 by Hajime Takai, a Japanese researcher with NTT Security.\r\nThe researcher details an attack on Japanese systems, in which the chain included xDII for downloading Bisonal to\r\nthe infected computer.\r\nFigure 13. Slide from Hajime Takai's research\r\nTakai links the attack to the Bitter Biscuit campaign described by Unit 42.13 Bisonal was used in that attack, too. The\r\nattack tools found by Takai are almost completely identical to the ones we found on the ShadowPad server. Even\r\nsome hash sums are identical (see Section 2).\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 7 of 26\n\nResearchers believe14\r\n that the Bisonal attacks were performed by Tonto Team. The group concentrates its efforts on\r\nthree countries: Russia, South Korea, and Japan. Its targets include governmental entities, militaries, finance, and\r\nindustry. All these fall within the area of interests of the Winnti group. And with the new details about Bisonal used\r\ntogether with xDII, plus overlapping network infrastructures, it stands to reason that the Winnti group is behind the\r\nBisonal attacks.\r\n1.3. Victims\r\nAccording to the server data, more than 50 computers had been infected. We could not establish the exact location and\r\nindustry for every infected computer. However, if we match the time of the latest connection of the infected computer to the\r\nserver and the time we received the file with this timestamp, we can make a map of the timezones.\r\nFigure 14. Map with victims' timezones\r\nMost countries located in the timezones marked on the map are within the area of interest of Winnti.\r\nWe were able to identify some of the compromised organizations, including:\r\nA university in the U.S.\r\nAn audit firm in the Netherlands\r\nTwo construction companies (one in Russia, the other in China)\r\nFive software developers (one in Germany, four in Russia)\r\nAll victims, both identified and unidentified, were notified by the national CERTs\r\nWe have no details about those attacks. However, since ShadowPad was used in supply chain attacks via software\r\ndevelopers, and knowing that at least two software developers have been compromised, we are dealing with either a new\r\ndistribution attempt or an attack that is already in progress.\r\n1.4. Activity\r\nActivity on the server (such as collection of information from the victims and appearance of new utilities) usually took place\r\noutside of the business hours in the victims' timezones. For some, it was evening; for others, early morning. This tactic is\r\ntypical of Winnti. The group did the same when they compromised CCleaner, as Avast reported.\r\n2. Analysis of malware and tools\r\nJudging by the data we collected, the delivery process in the current campaign looks as follows:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 8 of 26\n\nFigure 15. Payload delivery diagram\r\nThe compilation time of the malware samples we found corresponds to business hours in UTC+8 timezone (where China\r\nand Hong Kong are located).\r\nFigure 16. Malware compilation time in UTC+0\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 9 of 26\n\nFigure 17. Malware compilation time in UTC+8\r\n2.1. Analyzing SkinnyD\r\nSkinnyD (Skinny Downloader) is a simple downloader: it contains several C2 addresses and goes through them one by one.\r\nThe next stage is downloaded with a GET request to the С2 server via a special URL address generated according to a\r\nformat string hard-coded in the malware code.\r\nFigure 18. URL format string\r\nThe malware checks the data received from the C2 as follows:\r\nThe data size must be more than 0x2800 bytes.\r\nThe data must begin with the bytes \"4D 5A\" (MZ).\r\nThe downloaded binary file is decrypted with XOR and loaded with PE reflective loading. After the binary file loads,\r\ncontrol transfers to the exported symbol MyCode.\r\nThe malware gains persistence via the key Environment\\UserInitMprLogonScript.15\r\nFigure 19. Persistence code\r\nIn the SkinnyD samples we studied, we found an interesting artifact linking it to xDII. This was the string\r\n\"3853ed273b89687\". Since the string is not used by the downloader, perhaps it's a builder artifact.\r\n2.2. Analyzing xDII\r\n2.2.1. Dropper\r\nThe dropper is an executable file written in C and compiled in Microsoft Visual Studio. Its compilation date (February 11,\r\n2020, 9:54:40 AM) looks plausible.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 10 of 26\n\nFigure 20. General information about the dropper\r\nIt contains a payload in the form of the xDII backdoor in the data section.\r\nFigure 21. Another executable file in the dropper\r\nThe dropper extracts 59,392 bytes of data and attempts to write this to one of two paths:\r\n%windir%\\Device.exe\r\n%windir%\\system32\\browseui.dll\r\nNext, it copies itself to the directory %windir%\\DeviceServe.exe and creates a service named VService, thereby ensuring\r\nauto-launch as a service.\r\nFigure 22. Installing the service\r\nWhen the service runs, it creates a separate thread for running the payload.\r\nFigure 23. Running the payload\r\nWe should note that there is no option to launch a different payload variant in the form of a DLL library (browseui.dll).\r\n2.2.2. xDll backdoor\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 11 of 26\n\nThe backdoor is a file written in C++ and compiled in Microsoft Visual Studio using the MFC library. It also has a plausible\r\ncompilation date of February 10, 2020, 6:14:37 PM.\r\nFigure 24. General information about the payload\r\nIt creates a separate thread in which all actions take place.\r\nIt starts by scouting the system and collects the following information:\r\nNext, the backdoor decrypts C2 server addresses. In this case, there are two, but they are identical: www.oseupdate.dns-dns[.]com. The backdoor body contains a third address (127.0.0.1), which is replaced with the decrypted one.\r\nFigure 33. Decrypting C2 address\r\nWhen the C2 server address is obtained, a GET request will be sent, with its format as follows: hxxp://{host}:{port}/{uri}?\r\ntype=1\u0026hash={md5}\u0026time={current_time}. Request parameters are:\r\nhost (C2 address)\r\nport (port 80)\r\nuri (string \"news.php\")\r\nmd5 (hash sum of the MAC address, which is probably the victim's identifier)\r\ncurrent_time (current system time)\r\nHere's how it all looks:\r\nFigure 34. Sample request to the server\r\nNote that the request uses a preset value for the HTTP User-Agent header:\r\nFigure 35. Embedded User-Agent\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 12 of 26\n\nThe expected server response is the character \"1\". If that response is received, a POST request is sent with basic system\r\ninformation in JSON format:\r\nHash sum of the MAC address\r\nComputer name\r\nIP address\r\nOS version\r\nDomain name\r\nPreset identifier \"sssss\"\r\nOEM code page\r\nExample request:\r\nFigure 36. Sending system information\r\nWe should note that the JSON format used is incorrect. In addition, the value of the In_IP field is missing. Perhaps it was\r\nexpected that both the internal and external IP addresses would be determined. But logic for determining the external\r\naddress was not yet implemented in this variant of xDII. Another tell-tale detail is the value (\"post_info\") of the Referer\r\nHTTP header. In addition, a different value is selected for the User-Agent HTTP header:\r\nNext comes the loop for processing C2 commands. For that purpose, the backdoor sends a GET request in a format\r\nmatching the one described earlier. The only difference is that \"type\" parameter value is now \"2\" instead of \"1\":\r\nThe expected server response is a lowercase Latin letter (from a to z). The following table shows commands and the\r\ncorresponding actions:\r\nSuccessful execution of some commands requires additional data. For instance, downloading a file from the server (the \"e\"\r\ncommand) requires indicating the file name. In this case, the server provides that name after a comma. For instance,\r\n\"e,dangerous_file.txt\".\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 13 of 26\n\nThis is what a request and the response look like:\r\nFigure 37. An example of a command for downloading a file\r\nNext, the file is requested and its content is returned:\r\nFigure 38. File content sent to the server\r\nThen a report indicating successful download is sent.\r\nFigure 39. Report on successful file download\r\nNotice again the idiosyncratic value of the \"Referer: upfile\" field, the type of transmitted data (image/ pjpeg), and the name\r\nof the transmitted file: {md5}.gif (using the hash sum of the MAC address).\r\nWhen the command for collecting the directory listing (the \"d\" command) is processed, the delineator is not a comma.\r\nInstead, the path to the catalog is expected to start from the second character, for instance: \"d|C:\\Users\".\r\nFigure 40. Directory listing\r\nThe data is transmitted in JSON format, and this time the format is correct.\r\nThe following example shows sending information obtained from system analysis (the \"o\" command).\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 14 of 26\n\nFigure 41. Sending system information\r\nThe data is submitted in JSON format again, but with fewer keys.\r\nThe JSON string templates are specified in the backdoor; the string itself is formed by concatenation, without using any\r\nspecial libraries.\r\nHowever, in some cases, when a brief report is sufficient, the information may be transmitted in plaintext.\r\nFigure 42. Result of command for code execution\r\n2.3. ShadowPad\r\nAs mentioned, we found some public directories on one of the xDll servers, and one of those directories contained\r\nShadowPad. We found no significant differences from earlier versions, therefore the following is only a brief analysis of the\r\nnew version.\r\n2.3.1. ShadowPad loader and obfuscation\r\nThe first stage is decryption of the shell code responsible for installing the backdoor on the system. The shellcode is\r\ndecrypted with an XOR-like algorithm, which modifies the encryption key at each iteration with arithmetic operations with\r\ncertain constants.\r\nFigure 43. Main module decryption cycle\r\nAfter decryption, control transfers to the loader, which features a characteristic type of obfuscation.\r\nFigure 44. Obfuscation used in the loader\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 15 of 26\n\nWe already saw this type of obfuscation in previous versions of ShadowPad. Certain bytes are inserted in various sections of\r\nthe code pre-marked with two opposite conditional jumps pointing to the same address. To do away with this obfuscation,\r\nthe indicated bytes must be replaced (with the \"nop\" opcode, for instance).\r\nAfter the addresses of the API functions are received and the required code is placed in memory, control passes to the\r\nbackdoor installation stage.\r\n2.3.2. ShadowPad modules\r\nLike the previous versions, this backdoor has a modular architecture. By default, the backdoor includes the following\r\nmodules:\r\nFigure 45. Calling the functions for decryption and decompression of the modules built into the backdoor\r\nModule name ID Compilation time\r\nRoot 5E6909BA GMT: Wednesday, 11 March 2020 г., 15:54:34\r\nPlugins 5E69097C GMT: Wednesday, 11 March 2020 г., 15:53:32\r\nOnline 5E690988 GMT: Wednesday, 11 March 2020 г., 15:53:44\r\nConfig 5E690982 GMT: Wednesday, 11 March 2020 г., 15:53:38\r\nInstall 5E69099F GMT: Wednesday, 11 March 2020 г., 15:54:07\r\nDNS 5E690909 GMT: Wednesday, 11 March 2020 г., 15:51:37\r\nThe identifiers of these modules remain unchanged from version to version; they, too, are installed and run in a separate\r\nthread via the registry. Module compilation times can be found in the auxiliary header that comes before the shellcode.\r\nFigure 46. Location of the compilation time in the shellcode header\r\nA typical feature of any copy of ShadowPad is encryption of the strings in each module. The encryption algorithm is similar\r\nto the one used for backdoor decryption. The only difference is in the constants used for key modification.\r\nThe method of calling some API functions in ShadowPad modules is somewhat interesting. Some copies of the malware\r\ncalculate the function address for each time a function is called, as shown in Figure 47. In addition, addresses of the\r\nfunctions to be called can be obtained via a special structure. Loading addresses for libraries are obtained based on the\r\nvalues of the structure members, to which the offsets of the required API functions are then added.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 16 of 26\n\nFigure 47. String decryption code in ShadowPad\r\nFigure 48. Example of obfuscation of calling an API function\r\nFigure 49. De-obfuscated calls (illustrated by Install module)\r\nFor persistence, the backdoor copies itself to C:\\ProgramData\\ALGS\\ under the name Algs.exe and creates a service with the\r\nsame name.\r\nFigure 50. Service created for gaining persistence\r\nThe malware proceeds to launch a new svchost.exe process, which it injects with its own code and then gives control.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 17 of 26\n\nFigure 51. Code for creating process and injecting into it\r\n2.3.3. ShadowPad configuration\r\nIn all samples of the backdoor, the configuration is encrypted. The Config module is responsible for operations with it.\r\nConfiguration is a sequence of encrypted strings, in which each string follows the previous one without any zero padding or\r\nalignment. The configuration is encrypted by the same algorithm as the strings.\r\nFigure 52. Decrypted malware configuration\r\n2.3.4. Network protocol\r\nThe format of the packets used in all ShadowPad versions has remained unchanged.16 For the packets sent to the server, the\r\npacket body and the packet header are generated separately. After they are concatenated (without any padding), the packet is\r\ncovered with an encryption algorithm with logic close to that of the algorithms used for decrypting the main module and the\r\nstrings inside the backdoor. Figure 53 shows the algorithm.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 18 of 26\n\nFigure 53. Packet encryption code used in exchanges with the C2 server\r\nThe structure of encrypted packets received from the C2 server is fairly simple (as illustrated by the Init packet).\r\nFigure 54. Structure of ShadowPad packets\r\n2.4. Python backdoor\r\nThis backdoor we found on the server was in py2exe format. The backdoor is written in Python 2.7 and contains\r\nconfiguration variables in the beginning.\r\nThree commands can be executed remotely:\r\nCMDCMD: execute via cmd.exe\r\nUPFILECMD: upload the file to the server\r\nDOWNFILECMD: download the file from the server\r\nThe ONLINECMD command is executed by the backdoor right after launch. This is a command for collecting system\r\ninformation and sending it to the server.\r\nFigure 55. Backdoor configuration\r\nFigure 56. Commands for collecting system information\r\nThe backdoor has a function for gaining persistence via the registry:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 19 of 26\n\nAfter gaining persistence and collecting system information, the malware packs the data and uploads it to the C2 server.\r\nInteraction with the server is via TCP sockets:\r\nCertain values are added in before the data is sent; then the data is compressed with ZLIB and encoded in Base64.\r\nFigure 57. Data packing algorithm\r\nIn the code in Figure 55:\r\nFlag is the value initialized when the backdoor starts.\r\nFigure 58. Initializing the \"flag\" parameter\r\nKey is the value from configuration changes.\r\nCmd is an executed config command.\r\nData is the collected data.\r\nAfter the data is prepared, its length and the delimiter indicated in the config are added to the beginning, and then the\r\ndata is sent to the server.\r\nFigure 59. Forming the final data packet\r\nFigure 60. Example of formed data\r\nAfter the initial system data is sent, the backdoor goes into a loop as it awaits a command from the server.\r\nFigure 61. Main loop\r\n2.5. Utilities\r\nAmong our finds on the server were utilities for lateral movement. Most of those are open-source ones available on GitHub.\r\nThey were initially written in Python but converted to PE. The server had the following utilities:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 20 of 26\n\nUtilities17\r\n to check for and exploit vulnerability MS17-010\r\nLaZagne18 for gathering passwords\r\nget_lsass19 for dumping passwords on x64 systems\r\nNBTScan\r\nDomainInfo for collecting domain information\r\nThe hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire subnet.\r\nFigure 62. Modified utility for checking for MS17-010\r\nNetwork scanning is performed out of sequence, which may throw defenders off the scent. In addition, the scan will skip\r\naddresses with 1 and 2 in the final octets, because such addresses very rarely belong to user computers.\r\nAnother utility of note on the server collects information about the domain of the target computer. The information includes\r\nthe following:\r\nComputer name\r\nNames of computer users, divided into groups\r\nDomain name\r\nName of the current user's group\r\nNames of the groups on the domain\r\nNames of users in each group\r\nAll this information is collected in a legitimate way via the API functions of library Netapi32.dll and saved to the utility\r\ndirectory in XML format.\r\nInterestingly enough, the utility was compiled in 2014 with Microsoft Visual Studio 2005 and has the PDB \"e:\\Visual Studio\r\n2005\\Projects\\DomainInfo\\Release\\Domain05.pdb\".\r\nConclusion\r\nWe have analyzed the infrastructure of the Winnti group and conclude that it has been active since early 2019. Currently this\r\ninfrastructure is growing, which means Winnti is active. According to our information, the group has already compromised\r\nover 50 computers, and some of those may serve as a staging ground for subsequent, more serious attacks. The group has\r\nadded new malware to its arsenal, such as SkinnyD, xDll, and a Python backdoor. We found important connections between\r\nthe current Winnti infrastructure and other large attacks in which the group may have been directly involved.\r\nThe observed spike in the group's activity may be related to the coronavirus pandemic. Many companies have switched\r\nemployees to working from home and, as shown by our data, 80 percent of employees use their personal computers for\r\nwork. The result is that many employees are currently not protected by corporate security tools and security policies. This\r\nmakes them an easy target.\r\nMD5 SHA-1 SHA-256\r\nSkinnyD\r\nec2377cbd3065b4d751a791a22bd302c cdd78ccd274705f6c94b6640c968e90972597865 1d59968304f26651526a27dabd2780006ebd14925c9e0\r\n3fff50f9ea582848b8a5db05c88f526e ea11d0d950481676282cee20c5eb24fc71878bcc b5227a12185a6fef8bb99ac87eefba7787bbf75ff9c99bdc\r\n55186de70b2d5587625749a12df8b607 858d866c5faa965fa9fbe41c8484a88fe0c612eb d81ba465fe59e7d600f7ab0e8161246a5badd8ae2c3084\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 21 of 26\n\nБэкдор xDll\r\n9f01cb61f342f599a013c3e19d359ab4 b63bfdfb7f267e9fbf1c19be65093d857696f3b0 169c24f0ad3969fe99ff2bf205ead067222781a88d73537\r\na2d552ed07ad15427f36d23da0f3a5d3 1858a80c8cff38d7871286a437c502233e027ab0 59759bbdfc1a37626d99dd260e298a1285ff006035ab83\r\n60ddb540da1aefee1e14f12578eafda8 8d16bc28cef6760ecf69543a14d29ba041307957 87a57f5bb976644fce146e62ee54f3e53096f37f24884d3\r\n7a4c8e876af7d30206b851c01dbda734 4cff1af90c69cc123ecafe8081e3c486a890d500 06d20fb5894c291fca07021800e7e529371372abff6db3\r\n3d760b6fc84571c928bed835863fc302 adcf9ade7a4dc14b7bf656e86ea15766b843e3b6 8ac21275d0db7f3e990551f343e16ac105d6a513810ff71\r\n278eb1f415d67da27b2e35ec35254684 7d30043210c8be2f642c449b92fe810a8c81f3f8 a77613cbb7e914796433bf344614e0c469e32a1d52fbaf\r\n007f35e233a25877835955bdd5dd3660 c1ec5a34b30990d9197c8010441c39d390109c75 aa7b1d13a96f90bf539455f25ef138d5e09e27b7da6bf7f\r\nf2b37be311738a54aa5373f3a45bbde2 5e350480787827c19c7bee4833c91d72d0e032a0 ece7f411ed1897304ca822b37d6480ff0b9505c8e307ef1\r\nShadowPad\r\n82118134e674fe403907c9b93c4dc7be 5e29d9e4be79b5d1d7e606ba59a910cdd840203b 2c2b1d9b34df9364fd91a6551890b0fdc58a7e681713c6\r\nd5cf8f4c8c908553d57872ab39742c75 bc2ef2e2232bce6be5bb0333da6f101f45ca6277 319a06a39e5a1394710ec917f281a546d850386e80fdb5\r\neccb14cb5a9f17356ad23aa61d358b11 ef8951613ccca06f35b10f87dc11cf5543c727dd 3ff1cf65dff231f05bd54df3fecad2545b159094ce59ce4b\r\n349382749444e8f63e7f4dc0d8acf75d 223f24eadc6e3a48d9cf9799e3e390a4a4015fdb 63a74b66685fb94d685cfdfadd10917c805239ea079b94\r\ned4481a9b50529bfa098c4c530e4198e f6e4d7eb5e3a7ae4c94bb8626f79cc27b776d665 79f0e0a0f9c79a9206b9c2af222f026c384d3e0d761b0b4\r\n85b0b8ec05bd6be508b97fd397a9fc20 4e60f31e386ec4f478f04b48458e49ef781b04d0 831212d40c5120824508a645e54bf1b86f3be0cd19f87b\r\n6e3ce4dc5f739c5ba7878dd4275bb1f5 09a3b4823a4d82b72888e185c8b23b13c22885c3 85b0ada2836c76cc49b886dfe59d950a073e9d6d761581\r\n05751ea487d99aefea72d96a958140d7 2092a0557dcece4b4a32040b1bc09f9606aa1a1c 9984d5b554b8dbfeffdb374e1c8eaf74af7109a0e6b924b\r\nb9082bce17059a5789a8a092bbcdbe26 a570deda43eb424cc3578ba00b4d42d40044bd00 be7b1f7f0b73b77fc8fe4c109ae5a675cc9f3f6c16d3a1d7\r\n14d546b1af2329b46c004b5ed37a3bc2 07ef26c53b62c4b38c4ff4b6186bda07a2ff40cb bb28528e76649fb72e069b15a76f7c6ef520ae727408b3\r\n988ebf6fec017ec24f24427ac29cc525 0eec24a56d093e715047a626b911278a218927d2 d7786504a09ae35a75818c686b6299870e91d646bdf206\r\ne6aa938be4b70c79d297936887a1d9a3 8cf60c047ee8d742a7a91626535c64bc6d7b580e ec801e3baa02c7ad36a9b06512ac106d30ab3a2207a7cb\r\n964be19e477b57d85aceb7648e2c105d 6c8ab56853218f28ac11c16b050ad589ea14bafe 9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd72\r\n7bb16d5c48eb8179f8dafe306fc7e2c2 6bfdee276207d9b738b5e51f72e4852e3bda92d2 f7231082241d9e332b45307e180f20e11041f591967157\r\nBisonal\r\n5e25dfdf79dfc0542a2db424b1196894 3bf3cd0f3817cf9481944536c0c65d8a809e6d4a e114dd78f9acafcf7e93efe1c9e68a29e4fe52c4830431a4\r\nPython-бэкдор\r\nc86099486519947a53689e1a0ac8326d 817a88c07fe6d102961a994681c6674f89e2f28e 77e4a1f6eb95b9763cf13803aba0058ac0bcada8ee8b8f7\r\nget_lsass\r\n802312f75c4e4214eb7a638aecc48741 af421b1f5a08499e130d24f448f6d79f7c76af2b 8eb40114581fe9dc8d3da71ea407adfb871805902b7204\r\nDomainInfo\r\n22dfdcddd4f4da04b9ef7d10b27d84bc 619d32ea81e64d0af0a3e2a69f803cfe9941884b aad5ca66cfd5f0d1ffd4cccaa199de844b4074d02544521\r\nMS17-010 checker\r\n96c2d3af9e3c2216cd9c9342f82e6cf9 397f60d933a3aa030fac5c1255b2eb1944831fb2 af3ec84a79dc58d0a449416b4cf8eb5f7fd39c2cf084f6b1\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 22 of 26\n\nMS17-010 exploiter\r\n2b2ed478cde45a5a1fc23564b72d0dc8 a7d6fbbfb2d9d77b8cf079102fb2940bbf968985 e3768ad2b2e505453e64fe0f18cb47b2fe62d184ac7925f\r\nNetwork indicators\r\nSkinnyD\r\n80.245.105.102\r\nxDll\r\nwww.yandex2unitedstated.dns05.com\r\nwww.oseupdate.dns-dns.com\r\nwww.yandex2unitedstated.dynamic-dns.net\r\ng00gle_jp.dynamic-dns.net\r\nhotmail.pop-corps.com\r\nwww.yandex2unitedstated.dynamic-dns.net\r\nShadowPad\r\nwww.ncdle.net\r\nwww.ertufg.com\r\ninfo.kavlabonline.com\r\nttareyice.jkub.com\r\nunaecry.zzux.com\r\nfilename.onedumb.com\r\nwww.yandex2unitedstated.dns04.com\r\nwww.trendupdate.dns05.com\r\nBisonal\r\nwww.g00gleru.wikaba.com\r\nPython backdoor\r\ndaum.pop-corps.com\r\nRelated domains\r\nagent.my-homeip.net freemusic.zzux.com pop-corps.com\r\nalombok.yourtrap.com gaiusjuliuscaesar.dynamicdns.biz microsoft-update.pop-corps.com\r\napplication.dns04.com ggpage.jetos.com microsoft_update.pop-corps.com\r\narjuna.dynamicdns.biz gkonsultan.mrslove.com rama.longmusic.com\r\narjuna.serveusers.com gmarket.system-ns.org redfish.misecure.com\r\nartoriapendragon.itemdb.com googlewizard.ocry.com regulations.vizvaz.com\r\nbackup.myftp.info hardenvscurry.my-router.de robinhood.longmusic.com\r\nbillythekid.x24hr.com help.kavlabonline.com server.serveusers.com\r\nbluecat.mefound.com hosenw.ns02.info serviceonline.otzo.com\r\nbradamante.longmusic.com host.adobe-online.com thebatfixed.zyns.com\r\ncindustry.faqserv.com hpcloud.dynserv.org tunnel.itsaol.com\r\ncuchulainn.mrbonus.com ibarakidoji.mrbasic.com uacmoscow.com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 23 of 26\n\ndaum.xxuz.com indian.authorizeddns.us update.wmiprvse.com\r\ndepth.toh.info inthefa.bigmoney.biz videoservice.dnset.com\r\ndescribe.toh.info jaguarman.longmusic.com waswides.isasecret.com\r\ndevelopman.ocry.com jeannedarcarcher.zyns.com webhost.2waky.com\r\ndnsdhcp.dhcp.biz letstweet.toh.info webmail_gov_mn.pop-corps.com\r\neconomics.onemore1m.com lezone.jetos.com xindex.ocry.com\r\necoronavirus.almostmy.com likeme.myddns.com yandex.mrface.com\r\nemail_gov_mn.pop-corps.com medusa.americanunfinished.com yandex.pop-corps.com\r\nereshkigal.longmusic.com modibest.sytes.net www.alombok.yourtrap.com\r\neshown.itemdb.com movie2016.zzux.com www.arjuna.dynamicdns.biz\r\nfacegooglebook.mrbasic.com msdn.ezua.com www.asagamifujino.dns05.com\r\nfackb00k2us.dynamic-dns.net myflbook.myz.info www.billythekid.x24hr.com\r\nfergusmacroich.ddns.info mynews.myftp.biz www.bradamante.longmusic.com\r\nfornex.uacmoscow.com nadvocacy.mrbasic.com www.cuchulainn.mrbonus.com\r\nfrankenstein.compress.to nikolatesla.x24hr.com www.daum.xxuz.com\r\nfree2015.longmusic.com notepc.ezua.com www.david.got-game.org\r\nfreedomain.otzo.com npomail.ocry.com www.facebook2us.dynamic-dns.net\r\nfreemusic.xxuz.com ntripoli.www1.biz www.nthere.ourhobby.com\r\nwww.facegooglebook.mrbasic.com odanobunaga.dns04.com www.odanobunaga.dns04.com\r\nwww.fackb00k2us.dynamic-dns.net point.linkpc.net www.officescan_update.mypop3.org\r\nwww.fergusmacroich.ddns.info www.googlewizard.ocry.com www.program.ddns.info\r\nwww.frankenstein.compress.to www.hosenw.ns02.info www.robinhood.longmusic.com\r\nwww.free2015.longmusic.com www.ibarakidoji.mrbasic.com www.siegfried.dynamic-dns.net\r\nwww.freedomain.otzo.com www.inthefa.bigmoney.biz www.stade653.dns04.com\r\nwww.g00gle_kr.dns05.com www.jaguarman.longmusic.com www.uacmoscow.com\r\nwww.g00gle_mn.dynamic-dns.net www.jeannedarcarcher.zyns.com www.webhost.2waky.com\r\nwww.g0ogle_mn.dynamic-dns.net www.likeme.myddns.com www.xindex.ocry.com\r\nwww.ggpage.jetos.com www.medusa.americanunfinished.com www.yandex.mrface.com\r\nwww.gkonsultan.mrslove.com www.microsoft-update.pop-corps.com www.yandex.pop-corps.com\r\nwww.goog1e_kr.dns04.com www.msdn.ezua.com www.yandex2unitedstated.2waky.com\r\n  www.nikolatesla.x24hr.com  \r\n  www.nmbthg.com  \r\n  www.npomail.ocry.com  \r\nMITRE\r\nID Name Description\r\nInitial Access\r\nT1566.001 Spear-phishing Attachment\r\nWinnti sent spearphishing emails with malicious\r\nattachments\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 24 of 26\n\nExecution\r\nT1204.002 User Execution: Malicious File\r\nWinnti attempted to get users to launch malicious\r\nattachments delivered via spearphishing emails.\r\nT1569.002 System Services: Service Execution\r\nWinnti created Windows services to execute xDll\r\nbackdoor\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart Execution: Registry\r\nRun Keys / Startup Folder\r\nWinnti added Registry Run keys to establish persistence.\r\nT1543.003\r\nCreate or Modify System Process: Windows\r\nService\r\nWinnti has created new services to establish persistence\r\nDefense evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nWinnti used custom cryptographic algorithm to decrypt\r\npayload\r\nT1055 Process Injection\r\nWinnti injected ShadowPad into the wmplayer.exe\r\nprocess\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nWinnti used legitimate executables to perform DLL\r\nside-loading of their malware\r\nT1564.001 Hide Artifacts: Hidden Files and Directories\r\nWinnti has created a hidden directory under\r\nC:\\ProgramData\r\nT1027 Obfuscated Files or Information Winnti used VMProtected binaries\r\nT027.001 Software Packing Winnti used a custom packing algorithm\r\nCredential Access\r\nT1555 Credentials from Password Stores\r\nWinnti used a variety of publicly available tools like\r\nLaZagne to gather credentials\r\nT1003.001 OS Credential Dumping: LSASS Memory Winnti used get_lsass to dump credentials\r\nDiscovery\r\nT1087.001 Credentials from Password Stores\r\nWinnti gathered information of members on the victim’s\r\nmachine\r\nT1087.002 Account Discovery: Domain Account Winnti gathered domain user account information\r\nT1069.002\r\nPermission Groups Discovery: Domain\r\nGroups\r\nWinnti gathered domain group information\r\nCollection\r\nT1056.001 Input Capture: Keylogging ShadowPad contains a keylogge\r\nT1113 Screen Capture ShadowPad contains a screenshot module\r\nCommand And Control\r\nT1043 Commonly Used Port Winnti uses HTTP(s) for C2.\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nВПО группы Winnti использует стандартные\r\nпротоколы для соединения с С2: HTTP и HTTPS\r\nT1095 Non-Application Layer Protoco Winnti uses TCP and UDP for C2.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 25 of 26\n\n1. twitter.com/Vishnyak0v/status/1239908264831311872\r\n2. securelist.com/winnti-more-than-just-a-game/37029/\r\n3. securelist.com/shadowpad-in-corporate-networks/81432/\r\n4. blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer\r\n5. securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/\r\n6. welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\r\n7. blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer\r\n8. slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-olegbondarenko\r\n9. ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\n10. proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx\r\n11. proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests\r\n12. jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf\r\n13. unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/\r\n14. blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\n15. attack.mitre.org/techniques/T1037/\r\n16. media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf\r\n17. github.com/worawit/MS17-010/blob/master/checker.py\r\n18. github.com/AlessandroZ/LaZagne\r\n19. github.com/3gstudent/Homework-of-C-Language/blob/master/sekurlsa-wdigest.cpp\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/" ], "report_names": [ "shadowpad-new-activity-from-the-winnti-group" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "a7d4fe31-d92f-425a-ba8c-c70219f52fb8", "created_at": "2022-10-25T15:50:23.466009Z", "updated_at": "2026-04-10T02:00:05.250808Z", "deleted_at": null, "main_name": "Frankenstein", "aliases": [ "Frankenstein" ], "source_name": "MITRE:Frankenstein", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7041fcf5-b34d-47c3-be4c-3c40f243af89", "created_at": "2023-01-06T13:46:38.611261Z", "updated_at": "2026-04-10T02:00:03.038745Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "MISPGALAXY:TA459", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed4c7e37-461f-40f1-ad43-6ad7e21b32bc", "created_at": "2022-10-25T16:07:24.303712Z", "updated_at": "2026-04-10T02:00:04.929134Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [], "source_name": "ETDA:TaskMasters", "tools": [ "404-Input-shell web shell", "ASPXSpy", "ASPXTool", "AtNow", "DbxDump Utility", "HTran", "HUC Packet Transmit Tool", "Mimikatz", "NBTscan", "PortScan", "ProcDump", "PsExec", "PsList", "RemShell", "RemShell Downloader", "gsecdump", "jsp File browser", "nbtscan", "pwdump", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac", "created_at": "2022-10-25T15:50:23.437853Z", "updated_at": "2026-04-10T02:00:05.36762Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "TA459" ], "source_name": "MITRE:TA459", "tools": [ "gh0st RAT", "NetTraveler", "PlugX", "ZeroT" ], "source_id": "MITRE", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "802552ac-1f16-4b85-8d78-76d683684124", "created_at": "2022-10-25T16:07:24.28032Z", "updated_at": "2026-04-10T02:00:04.920517Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "ETDA:TA459", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "NetTraveler", "Netfile", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav", "ZeroT" ], "source_id": "ETDA", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446612, "ts_updated_at": 1775792037, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f6ebd7fd80e3c9cdc3d6f95db081fe0d58daf07.pdf", "text": "https://archive.orkl.eu/2f6ebd7fd80e3c9cdc3d6f95db081fe0d58daf07.txt", "img": "https://archive.orkl.eu/2f6ebd7fd80e3c9cdc3d6f95db081fe0d58daf07.jpg" } }