{ "id": "f441541e-d231-4f25-9139-bc3833c63de2", "created_at": "2026-04-06T00:09:16.132176Z", "updated_at": "2026-04-10T03:36:13.615655Z", "deleted_at": null, "sha1_hash": "699575ca07737b61c2e3336f17272b571e5743c0", "title": "ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1842041, "plain_text": "ShadowPad | A Masterpiece of Privately Sold Malware in Chinese\r\nEspionage - SentinelLabs\r\nBy Yi-Jhen Hsieh\r\nPublished: 2021-08-19 · Archived: 2026-04-05 16:41:38 UTC\r\nBy Yi-Jhen Hsieh \u0026 Joey Chen\r\nExecutive Summary\r\nShadowPad is a privately sold modular malware platform –rather than an open attack framework– with\r\nplugins sold separately.\r\nShadowPad is still regularly updated with more advanced anti-detection and persistence techniques.\r\nIt’s used by at least four clusters of espionage activity. ShadowPad was the primary backdoor for espionage\r\noperations in multiple campaigns, including the CCleaner, NetSarang, and ASUS supply-chain attacks.\r\nThe adoption of ShadowPad significantly reduces the costs of development and maintenance for threat\r\nactors. We observed that some threat groups stopped developing their own backdoors after they gained\r\naccess to ShadowPad.\r\nAs a byproduct of that shared tooling, any claim on attribution needs to be reviewed in a cautious way\r\nwhen a shared backdoor like ShadowPad is involved.\r\nInstead of focusing on specific threat groups, we discuss local personas possibly involved in the\r\ndevelopment of ShadowPad as an iterative successor to PlugX.\r\nRead the Full Report\r\nOverview\r\nShadowPad emerged in 2015 as the successor to PlugX. However, it was not until several infamous supply-chain\r\nincidents occurred – CCleaner, NetSarang and ShadowHammer – that it started to receive widespread attention in\r\nthe public domain. Unlike the publicly-sold PlugX, ShadowPad is privately shared among a limited set of users.\r\nWhilst collecting IoCs and connecting the dots, we asked ourselves: What threat actors are using ShadowPad in\r\ntheir operations? And ultimately, how does the emergence of ShadowPad impact the wider threat landscape from\r\nChinese espionage actors?\r\nTo answer those questions, we conducted a comprehensive study on the origin, usage and ecosystem of\r\nShadowPad. The full report provides:\r\na detailed overview of ShadowPad, including its history, technical details, and our assessment of its\r\nbusiness model and ecosystem\r\na detailed description of four activity clusters where ShadowPad has been used\r\na discussion of how ShadowPad’s emergence changes the attacking strategies of some China-based threat\r\nactors\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 1 of 7\n\nhow ShadowPad affects the threat landscape of Chinese espionage attacks\r\nIn this blog post, we provide an abridged version of some of our key findings and discussions. Please see the full\r\nreport for an extended discussion, full Indicators of Compromise and other technical indicators.\r\nTechnical Analysis\r\nShadowPad is a modular backdoor in shellcode format. On execution, a layer of an obfuscated shellcode loader is\r\nresponsible for decrypting and loading a Root plugin. While the sequence of operation in the Root plugin\r\ndecrypts, it loads other plugins embedded in the shellcode into memory. The plugins are kept and referenced\r\nthrough a linked list:\r\nstruct plugin_node {\r\n plugin_node* previous_node;\r\n plugin_node* next_node;\r\n DWORD referenced_count;\r\n DWORD plugin_timestamp;\r\n DWORD plugin_id;\r\n DWORD field_0;\r\n DWORD field_1;\r\n DWORD field_2;\r\n DWORD field_3;\r\n DWORD plugin_size;\r\n LPVOID plugin_base_addr;\r\n LPVOID plugin_export_function_table_addr;\r\n}\r\nAlong with the plugins embedded in the sample, additional plugins are allowed to be remotely uploaded from the\r\nC\u0026C server, which allows users to dynamically add functionalities not included by default.\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 2 of 7\n\nThe architecture of ShadowPad backdoor\r\nAs luck would have it, the ShadowPad controller (version 1.0, 2015) was accidentally discovered during private\r\nresearch. All of the stakeholders involved agreed to our releasing screenshots but not the details of the actual file,\r\nso we are unable to provide hashes for this component at present.\r\nAnalysis of the controller allowed us to obtain a clear picture of how the builder generates the shellcodes, how the\r\nusers manage the infected hosts, and the kinds of functions available on the controller.\r\nPrivately Shared Attack Framework or Privately Sold Modular Malware?\r\nAn intriguing question to address is whether ShadowPad is a privately shared attack framework or a privately\r\ndeveloped modular malware platform for sale to specific groups. Its design allows the users to remotely deploy\r\nnew plugins to a backdoor.  In theory, anyone capable of producing a plugin that is encrypted and compressed in\r\nthe correct format can add new functionalities to the backdoor freely.\r\nHowever, the control interfaces of the plugins are hardcoded in the “Manager” page of the ShadowPad controller,\r\nand the controller itself does not include a feature to add a new control interface.\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 3 of 7\n\nThe interfaces to control the plugins are hardcoded and listed in the “Manager” page\r\nIn other words, it is unlikely that ShadowPad was created as a collaborative attacking framework. Only the\r\nplugins produced by the original developer could be included and used through the ShadowPad controller.\r\nOn the other hand, even if the control interface of a plugin is listed in the menu, not every available plugin is\r\nembedded in the ShadowPad samples built by the controller by default. There is no configuration in the builder to\r\nallow the user to choose which plugins are compiled into the generated sample, so this setting can only be\r\nmanaged by the developer of the controller.\r\nIf ShadowPad was not originally designed as an open framework, the following question is whether it is freely\r\nshared with or sold to its users. The possible author ‘whg’ – and one of his close affiliates, Rose – have been\r\nmonetizing their malware development and hacking skills since the early 2000s. Both individuals sold self-developed malware, and Rose offered services such as software cracking, penetration testing and DDoS attacks. If\r\nShadowPad was developed by them or their close affiliates, it is more likely to be sold to – rather than freely\r\nshared with – other users under this context.\r\nSelling the Plugins Separately Rather than Giving a Full Bundle by Default\r\nThe available functionalities to ShadowPad users are highly controlled by the seller of ShadowPad. Looking\r\ndeeply into the plugin numbers and the distribution of different plugins embedded in around a hundred samples,\r\nwe assessed that the seller is likely selling each plugin separately instead of offering a full bundle with all of the\r\ncurrently available plugins.\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 4 of 7\n\nThe number of samples grouped by the number of plugins in each sample\r\nThe image above groups the samples by the number of the plugins embedded in them. Most of the samples\r\ncontain less than nine plugins with the following plugins embedded: Root, Plugins, Config, Install, Online, TCP,\r\nHTTP, UDP and DNS. This set of plugins can only support the installation of backdoors and communications with\r\nC\u0026C servers, without providing further functionality.\r\nWhat Threat Actors Are Using Shadowpad?\r\nShadowPad is sold privately to a limited set of customers. SentinelOne has identified at least five activity clusters\r\nof ShadowPad users since 2017:\r\nAPT41\r\nTick \u0026 Tonto Team\r\nOperation Redbonus\r\nOperation Redkanku\r\nFishmonger\r\nIn the full report, we discuss each in turn. Here, we will limit our observations to the most interesting points\r\nrelated to APT41.\r\nAPT41 is the accepted naming convention for the activities conducted by two spinoffs of what was once referred\r\nto as ‘Winnti’, sub-groups – BARIUM (Tan Dailin aka Rose and Zhang Haoran) and LEAD (Chengdu 404\r\nNetwork Technology Co., Ltd).\r\nAll of the individuals are based in Chengdu, Sichuan. Rose (aka “凋凌玫瑰”), Zhang Haoran, and Jiang Lizhi\r\n(aka “BlackFox”, one of the persons behind Chengdu 404) were coworkers between 2011 and 2017, while Rose\r\nand BlackFox knew each other since at least 2006.\r\nRose started his active collaboration on malware development with whg, the author of PlugX, when he was a\r\nmember of the hacking group NCPH back in 2005. They developed “NCPH Remote Control Software” together\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 5 of 7\n\nuntil 2007. The executable of the controller was freely shared on NCPH websites, but they also declared that the\r\nsource code was for sale.\r\nNCPH 5.0 Remote Control Software, developed back in 2005, was powered by whg and Rose\r\nRose and his friends sold the source code of “NCPH remote control software” on NCPH forum\r\nBARIUM (Rose and Zhang Haoran) were one of the earliest threat groups with access to ShadowPad. Aside from\r\nsome smaller-scale attacks against the gaming industry, they were accountable for several supply chain attacks\r\nfrom 2017 to 2018. Some of their victims included NetSarang, ASUS, and allegedly, CCleaner.\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 6 of 7\n\nAnother subgroup, LEAD, also used ShadowPad along with other backdoors to attack victims for both financial\r\nand espionage purposes. They were reported to attack electronic providers and consumers, universities,\r\ntelecommunication, NGO and foreign governments.\r\nConsidering the long-term affiliation relationship between Rose and whg, we suspect that Rose likely had high\r\nprivilege access to – or was a co-developer of – ShadowPad, and other close affiliates in Chengdu were likely\r\nsharing resources. This could also explain why BARIUM was able to utilize a special version of ShadowPad in\r\nsome of their attacks.\r\nConclusion\r\nThe emergence of ShadowPad, a privately sold, well-developed and functional backdoor, offers threat actors a\r\ngood opportunity to move away from self-developed backdoors. While it is well-designed and highly likely to be\r\nproduced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under\r\nactive development. For these threat actors, using ShadowPad as the primary backdoor significantly reduces the\r\ncosts of development.\r\nFor security researchers and analysts tracking China-based threat actors, the adoption of the “sold – or cracked –\r\ncommercial backdoor” raises difficulties in ascertaining which threat actor they are investigating. More systematic\r\nways – for instance, analysis on the relationship between indicators, long-term monitoring on the activities and\r\ncampaigns – need to be developed in order to carry out analytically-sound attribution. Any claim made publicly on\r\nthe attribution of ShadowPad users requires careful validation and strong evidentiary support so that it can help\r\nthe community’s effort in identifying Chinese espionage.\r\nRead the full report for an extended discussion, full Indicators of Compromise and other technical indicators.\r\nRead the Full Report\r\nRead the Full Report\r\nSource: https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nhttps://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/" ], "report_names": [ "shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434156, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/699575ca07737b61c2e3336f17272b571e5743c0.pdf", "text": "https://archive.orkl.eu/699575ca07737b61c2e3336f17272b571e5743c0.txt", "img": "https://archive.orkl.eu/699575ca07737b61c2e3336f17272b571e5743c0.jpg" } }