{ "id": "e3f7cff5-e173-4a05-817b-7dcc0abb1da4", "created_at": "2026-04-06T00:07:56.377228Z", "updated_at": "2026-04-10T03:32:21.363202Z", "deleted_at": null, "sha1_hash": "56740f8a224c7f7024704d33d8558126b078aad5", "title": "ShadowPad in corporate networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1456962, "plain_text": "ShadowPad in corporate networks\r\nBy GReAT\r\nPublished: 2017-08-15 · Archived: 2026-04-05 14:41:05 UTC\r\n ShadowPad, part 2: Technical Details (PDF)\r\nIn July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner,\r\nwhich is a financial institution, discovered the requests originating on systems involved in the processing of\r\nfinancial transactions.\r\nFurther investigation showed that the source of the suspicious DNS queries was a software package produced by\r\nNetSarang. Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity\r\nsolutions and specializes in the development of server management tools for large corporate networks. The\r\ncompany maintains headquarters in the United States and South Korea.\r\nNetSarang website\r\nOur analysis showed that recent versions of software produced and distributed by NetSarang had been\r\nsurreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable\r\nattacker.\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 1 of 8\n\nThe backdoor was embedded into one of the code libraries used by the software (nssock2.dll):\r\nBackdoored dll in a list of loaded modules of Xshell5 sofware\r\nDisposition of the NSSOCK2.DLL binary with embedded malicious code\r\nThe attackers hid their malicious intent in several layers of encrypted code. The tiered architecture prevents the\r\nactual business logics of the backdoor from being activated until a special packet is received from the first tier\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 2 of 8\n\ncommand and control (C\u0026C) server (“activation C\u0026C server”). Until then, it only transfers basic information,\r\nincluding the computer, domain and user names, every 8 hours.\r\nActivation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The\r\ndomain name is generated based on the current month and year values, e.g. for August 2017 the domain name\r\nused would be “nylalobghyhirgh.com”.\r\nDNS queries to C\u0026C from backdoored nssock2.dll\r\nOnly when triggered by the first layer of C\u0026C servers does the backdoor activate its second stage\r\nThe module performs a quick exchange with the controlling DNS server and provides basic target information\r\n(domain and user name, system date, network configuration) to the server. The C\u0026C DNS server in return sends\r\nback the decryption key for the next stage of the code, effectively activating the backdoor. The data exchanged\r\nbetween the module and the C\u0026C is encrypted with a proprietary algorithm and then encoded as readable latin\r\ncharacters. Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a\r\nlittle-endian value).\r\nOur analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute\r\narbitrary code provided from the C\u0026C server, as well as maintain a virtual file system (VFS) inside the registry.\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 3 of 8\n\nThe VFS, and any additional files created by the code, are encrypted and stored in a location unique to each\r\nvictim. The remote access capability includes a domain generation algorithm (DGA) for C\u0026C servers which\r\nchanges every month. The attackers behind this malware have already registered the domains covering July to\r\nDecember 2017, which indirectly confirms alleged start date of the attack as around mid July 2017.\r\nCurrently, we can confirm activated payload in a company in Hong Kong. Given that the NetSarang programs are\r\nused in hundreds of critical networks around the world, on servers and workstations belonging to system\r\nadministrators, it is strongly recommended that companies take immediate action to identify and contain the\r\ncompromised software.\r\nKaspersky Lab products detect and protect against the backdoored files as “Backdoor.Win32.ShadowPad.a”.\r\nWe informed NetSarang of the compromise and they immediately responded by pulling down the compromised\r\nsoftware suite and replacing it with a previous clean version. The company has also published a message\r\n(https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html) acknowledging our findings and\r\nwarning their customers.\r\nShadowPad is an example of the dangers posed by a successful supply-chain attack. Given the opportunities for\r\ncovert data collection, attackers are likely to pursue this type of attack again and again with other widely used\r\nsoftware components. Luckily, NetSarang was fast to react to our notification and released a clean software\r\nupdate, most likely preventing hundreds of data-stealing attacks against their clients. This case is an example of\r\nthe value of threat research as a means to secure the wider internet ecosystem. No single entity is in a position to\r\ndefend all of the links in an institution’s software and hardware supply-chain. With successful and open\r\ncooperation, we can help weed out the attackers in our midst and protect the internet for all users, not just our\r\nown.\r\nFor more information please contact: intelreports@kaspersky.com\r\nFrequently Asked Questions\r\nWhat does the code do if activated?\r\nIf the backdoor were activated, the attacker would be able to upload files, create processes, and store information\r\nin a VFS contained within the victim’s registry. The VFS and any additional files created by the code are\r\nencrypted and stored in locations unique to each victim.\r\nWhich software packages were affected?\r\nWe have confirmed the presence of the malicious file (nssock2.dll) in the following packages previously available\r\non the NetSarang site:\r\nXmanager Enterprise 5 Build 1232\r\nXme5.exe, Jul 17 2017, 55.08 MB\r\nMD5: 0009f4b9972660eeb23ff3a9dccd8d86\r\nSHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 4 of 8\n\nXmanager 5 Build 1045\r\nXmgr5.exe, Jul 17 2017, 46.2 MB\r\nMD5: b69ab19614ef15aa75baf26c869c9cdd\r\nSHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d\r\nXshell 5 Build 1322\r\nXshell5.exe, Jul 17 2017, 31.58 MB\r\nMD5: b2c302537ce8fbbcff0d45968cc0a826\r\nSHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6\r\nXftp 5 Build 1218\r\nXftp5.exe, Jul 17 2017, 30.7 MB\r\nMD5: 78321ad1deefce193c8172ec982ddad1\r\nSHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b\r\nXlpd 5 Build 1220\r\nXlpd5.exe, Jul 17 2017, 30.22 MB\r\nMD5: 28228f337fdbe3ab34316a7132123c49\r\nSHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe\r\nIs NetSarang aware of this situation?\r\nYes, we contacted the vendor and received a swift response. Shortly after notification by Kaspersky Lab all\r\nmalicious files were removed from NetSarang website.\r\nHow did you find the software was backdoored?\r\nDuring an investigation, suspicious DNS requests were identified on a partner’s network. The partner, which is a\r\nfinancial institution, detected these requests on systems related to the processing of financial transactions. Our\r\nanalysis showed that the source of these suspicious requests was a software package produced by NetSarang.\r\nWhen did the malicious code first appear in the software?\r\nA fragment of code was added in nssock2.dll (MD5: 97363d50a279492fda14cbab53429e75), compiled Thu Jul 13\r\n01:23:01 2017. The file is signed with a legitimate NetSarang certificate (Serial number: 53 0C E1 4C 81 F3 62 10\r\nA1 68 2A FF 17 9E 25 80). This code is not present in the nssock2.dll from March (MD5:\r\nef0af7231360967c08efbdd2a94f9808) included with the NetSarang installation kits from April.\r\nHow do I detect if code is present on a system?\r\nAll Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you\r\ncan’t use an antimalware solution you can check if there were DNS requests from your organization to these\r\ndomains:\r\nribotqtonut[.]com\r\nnylalobghyhirgh[.]com\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 5 of 8\n\njkvmdmjyfcvkf[.]com\r\nbafyvoruzgjitwr[.]com\r\nxmponmzmxkxkh[.]com\r\ntczafklirkl[.]com\r\nnotped[.]com\r\ndnsgogle[.]com\r\noperatingbox[.]com\r\npaniesx[.]com\r\ntechniciantext[.]com\r\nHow do I clean any affected systems?\r\nAll Kaspersky Lab products successfully detect and disinfect the affected files as “Backdoor.Win32.Shadowpad.a”\r\nand actively protect against the threat.\r\nIf you do not have a Kaspersky product installed, then:\r\n1. 1 Update to the latest version of the NetSarang package.\r\n2. 2 Block DNS queries to the C2 domains listed in Appendix A.\r\nWhat kind of companies/organizations/ are targeted by the attackers?\r\nBased on the vendor profile, the attackers could be after a broad set of companies who rely on NetSarang\r\nsoftware, which includes banking and financial industry, software and media, energy and utilities, computers and\r\nelectronics, insurance, industrial and construction, manufacturing, pharmaceuticals, retail, telecommunications,\r\ntransportation and logistics and other industries.\r\nWho is behind this attack?\r\nAttribution is hard and the attackers were very careful to not leave obvious traces. However certain techniques\r\nwere known to be used in another malware like PlugX and Winnti, which were allegedly developed by Chinese-speaking actors.\r\nHow did the attackers manage to get access to create trojanized updates. Does that mean that\r\nNetSarang was hacked?\r\nAn investigation is in progress, but since code was signed and added to all software packages it could point to the\r\nfact that attackers either modified source codes or patched software on the build servers.\r\nAppendix A – Indicators of Compromise\r\nAt this time, we have confirmed the presence of the malicious “nssock2.dll” in the following packages\r\ndownloaded from the NetSarang site:\r\nXmanager Enterprise 5 Build 1232\r\nXme5.exe, Jul 17 2017, 55.08 MB\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 6 of 8\n\nMD5: 0009f4b9972660eeb23ff3a9dccd8d86\r\nSHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97\r\nXmanager 5 Build 1045\r\nXmgr5.exe, Jul 17 2017, 46.2 MB\r\nMD5: b69ab19614ef15aa75baf26c869c9cdd\r\nSHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d\r\nXshell 5 Build 1322\r\nXshell5.exe, Jul 17 2017, 31.58 MB\r\nMD5: b2c302537ce8fbbcff0d45968cc0a826\r\nSHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6\r\nXftp 5 Build 1218\r\nXftp5.exe, Jul 17 2017, 30.7 MB\r\nMD5: 78321ad1deefce193c8172ec982ddad1\r\nSHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b\r\nXlpd 5 Build 1220\r\nXlpd5.exe, Jul 17 2017, 30.22 MB\r\nMD5: 28228f337fdbe3ab34316a7132123c49\r\nSHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe\r\nDomains:\r\nribotqtonut[.]com\r\nnylalobghyhirgh[.]com\r\njkvmdmjyfcvkf[.]com\r\nbafyvoruzgjitwr[.]com\r\nxmponmzmxkxkh[.]com\r\ntczafklirkl[.]com\r\nnotped[.]com\r\ndnsgogle[.]com\r\noperatingbox[.]com\r\npaniesx[.]com\r\ntechniciantext[.]com\r\nDLL with the encrypted payload:\r\n97363d50a279492fda14cbab53429e75\r\nNetSarang packages which contain the DLL with the encrypted payload (same as above, just the\r\nlist of MD5 sums):\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 7 of 8\n\n0009f4b9972660eeb23ff3a9dccd8d86\r\nb69ab19614ef15aa75baf26c869c9cdd\r\nb2c302537ce8fbbcff0d45968cc0a826\r\n78321ad1deefce193c8172ec982ddad1\r\n28228f337fdbe3ab34316a7132123c49\r\nFile names:\r\nnssock2.dll\r\nSource: https://securelist.com/shadowpad-in-corporate-networks/81432/\r\nhttps://securelist.com/shadowpad-in-corporate-networks/81432/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://securelist.com/shadowpad-in-corporate-networks/81432/" ], "report_names": [ "81432" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434076, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56740f8a224c7f7024704d33d8558126b078aad5.pdf", "text": "https://archive.orkl.eu/56740f8a224c7f7024704d33d8558126b078aad5.txt", "img": "https://archive.orkl.eu/56740f8a224c7f7024704d33d8558126b078aad5.jpg" } }