{
	"id": "2511fe31-6ec3-4c28-a49c-6834fff78250",
	"created_at": "2026-04-06T00:10:17.160607Z",
	"updated_at": "2026-04-10T03:32:45.977808Z",
	"deleted_at": null,
	"sha1_hash": "780c33fe155039f188908882e7bf1b2411bd341c",
	"title": "Tracking ShadowPad Infrastructure Via Non-Standard Certificates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5453637,
	"plain_text": "Tracking ShadowPad Infrastructure Via Non-Standard\r\nCertificates\r\nPublished: 2024-02-09 · Archived: 2026-04-05 14:31:46 UTC\r\nTABLE OF CONTENTS\r\nOut With The Old?What's The Difference?Cracking The Dell Data VaultSuspected Cluster #1Suspected Cluster\r\n#2:BonusConclusionRemaining IPs/Domains\r\nThis post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this\r\nactivity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof\r\nAmerican technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing\r\ndifferent port configurations and some interesting domains, discussed later in this article.\r\nThanks to Greg \u0026 Cal for answering my questions regarding this infrastructure.\r\nOut With The Old?\r\nStay with me if you're already familiar with detecting ShadowPad using the standard HTTP headers with Nginx\r\nservers and TLS certificates using my* fields.\r\nShadowPad is a modular trojan shared privately by several suspected state-linked Chinese threats since 2019. It\r\nhas been used in network intrusions focused on espionage, information theft, and even financial gain.\r\nSee Figures 1 \u0026 2 below for examples of recently identified ShadowPad infrastructure.\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 1 of 14\n\nFigure 1: Common ShadowPad Nginx HTTP Response\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 2 of 14\n\nFigure 2: Well-Known ShadowPad TLS Certificate\r\n*These servers and many more are tagged and available to Hunt users. Apply for an account today, and let us\r\nknow what you think.\r\nOne could quickly start tracking servers with the above information (in addition to other factors such as provider,\r\nlocation, domains, etc. ) and add them to network blocklists. The only problem with this approach is that focusing\r\non an oft-seen certificate will prevent defenders from missing minor changes to similar infrastructure.\r\nLet's look at what made this set of IP addresses stand out from the others.\r\nWhat's The Difference?\r\nWe've identified over 30 servers using the spoofed Dell certificate from across the internet. Note: The ports listed\r\nutilize the cert and do not indicate overall ports found on each IP address.\r\nThere are two ways to dig into this infrastructure: via the Advanced Search feature (below) or as part of the more\r\nextensive set of ShadowPad servers Hunt tracks, pictured in Figure 4.\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 3 of 14\n\nFigure 3: Snippet of Advanced Search Results\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 4 of 14\n\nFigure 4: Tagging of ports using the Dell certificate in the Hunt platform\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 5 of 14\n\nFigure 5: Certificate For Subset of ShadowPad Infrastructure\r\nAll fields of the certificate are listed below:\r\nC=US, ST=Texas, L=Round Rock, O=Dell Technologies Inc., OU=Dell Data Vault, CN=Dell Technologies Inc.\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 6 of 14\n\nFigure 6: Similar HTTP Headers Without the \"Page Not Found\" Text\r\nThe HTTP headers in Figure 6 should look familiar. When combined with the previously described additional\r\nfactors and third-party intelligence (Recorded Future \u0026 VirusTotal), we have confirmation that we are on the trail\r\nof an actor(s) using ShadowPad.\r\nCracking The Dell Data Vault\r\nNone of the IP addresses identified as linked to the malware are consecutively assigned, which could indicate a\r\nthreat actor purchasing the servers from a reseller. However, many are closely related, which shows a strong\r\npreference for one provider over others.\r\nFigures 7 and 8 below show the providers making up the infrastructure, as well as the geolocations of the servers.\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 7 of 14\n\nFigure 7: Providers used in this set of ShadowPad C2s (Brought to life by Plotly.py)\r\nFigure 8: Geographical data of ShadowPad servers (Brought to life by Plotly.py)\r\nSuspected Cluster #1\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 8 of 14\n\nPorts utilized for likely C2 communication consist of common ports: 53, 80, 443, 8080, 8443, 44444. While port\r\n53 is nothing new when discussing malware communicating with a controller, just 12 IPs out of the 30+ identified\r\nhave the port exposed as an HTTP server with an Nginx header (Figure 9).\r\nWithout malware samples and additional information to analyze, this anomaly has three possible motives:\r\n1 Targeted Deployment: Standard C2 ports are used for most servers. However, this subset could represent a high-value target, where leveraging port 53 is believed to bypass detection.\r\n2 Possible Misconfiguration: This could be an unintentional mistake made during server setup.\r\n3 Second or Third Actor: The servers using port 53 may belong to a separate actor. While the 31 IPs identified\r\nshare similarities, this subset might be part of a separate operation utilizing specific tactics and tools.\r\nOf course, all three of the above could be wrong. There may be a part 2 to this post.\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 9 of 14\n\nFigure 9: Nginx header on port 53\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 10 of 14\n\nFigure 10: One of the 12 servers using the ShadowPad certificate on port 53\r\nIP addresses and domains of this suspected cluster are below.\r\nIP Address Domain ASN Cert Last Seen\r\n45.76.146.215 app2[.]toggle2[.]com The Constant Company 2024-02-06\r\n81.68.102.11 N/A Tencent 2024-02-06\r\n47.254.251.168 N/A Alibaba (US) 2024-01-30\r\n139.180.188.54\r\nupdate[.]performed12.com\r\nwww[.]fadfar[.]com\r\nkzb[.]performed12[.]com\r\ntime[.]afsder[.]com\r\nupdata[.]dsqueryonline[.]com\r\nmicrosoft[.]performed12[.]com\r\nupdata[.]installation77[.]com\r\naz[.]performed12[.]com\r\ntime[.]kkdiscover[.]com\r\nupdate[.]kkdiscover[.]com\r\npower[.]installation77[.]com\r\nThe Constant Company 2024-02-06\r\n8.217.107.25 N/A Alibaba (US) 2024-02-05\r\n38.60.193.62 N/A Kaopou Cloud HK 2024-02-05\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 11 of 14\n\nIP Address Domain ASN Cert Last Seen\r\n38.54.105.226\r\nmicrosoft[.]kiwi[.]nz\r\nwww[.]kazakhtelecom[.]zzux[.]com\r\nkazakhtelecom[.]zzux[.]com\r\ngoogle[.]org[.]im\r\nwww[.]google[.]org[.]im\r\nturkeylahainasunset[.]com\r\nwww[.]microsoft[.]kiwi[.]nz\r\nKaopou Cloud HK 2024-02-04\r\n108.61.163.91 czs[.]superdasqe[.]me The Constant Company 2024-02-06\r\n47.243.60.4 N/A Alibaba (US) 2024-02-02\r\n8.218.214.23 N/A Alibaba (US) 2024-02-02\r\n8.218.248.158 N/A Alibaba (US) 2024-01-26\r\n8.218.163.77\r\nmirco[.]supermirco[.]us\r\nmircoo[.]supermirco[.]us\r\nAlibaba (US) 2024-02-04\r\n47.242.52.22\r\nupdate[.]micro[.]gay\r\nns[.]supermirco[.]us\r\nshaduruanjian8[.]com\r\nimg[.]shaduruanjian8[.]com\r\nwww[.]shaduranjian8[.]com\r\nm[.]shadurauanjian8[.]com\r\nupdate[.]imiul[.]com\r\nAlibaba (US) 2024-02-06\r\nTable 1: Port 53 cluster IPs, domains, ASN, and certificate last seen dates\r\nTheory #1 could be a possibility when looking at the domains in Table 1 compared to the rest. The following\r\nentities are being spoofed:\r\nMicrosoft\r\nKazakhTelecom -- and Kazakhstan's largest telecom company.\r\nGoogle\r\nSuperMicro -- A US IT company with offices in The Netherlands \u0026 Taiwan.\r\nShaduruanjian -- Translates to \"antivirus software\" from Chinese.\r\nSuspected Cluster #2:\r\nI don't feel as strongly about this suspected cluster as the first, but it's interesting enough from the rest of the IPs\r\nthat it's still worth putting out there for other researchers to dig into. All servers identified in Hunt share similar\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 12 of 14\n\nports, 53, 80, etc., except for five, which only use port 443 for ShadowPad. The IPs in question are listed below.\r\nIP Address Domain ASN Cert Last Seen\r\n8.217.96.167 N/A Alibaba (US) 2024-01-28\r\n149.28.135.145 N/A The Constant Company 2024-01-24\r\n45.76.84.222 N/A The Constant Company 2024-01-31\r\n45.32.127.56\r\nwww[.]bernaspos[.]com\r\nbernaspos[.]com\r\nThe Constant Company 2024-01-31\r\n185.81.114.45\r\npitikytech[.]me\r\nmail[.]pitikytech[.]me\r\nHZ Hosting Ltd 2024-01-18\r\nTable 2: Smaller possible cluster using only port 443\r\nBonus\r\nThe spoofed Dell certificates weren't the only interesting information found when looking at this infrastructure.\r\nMany servers utilized a pattern of common names for RDP. For example, \"iZ5qjajwc0tiohZ\" was seen amongst 11\r\nIPs and not associated with the port 53 cluster.\r\nAdditional RDP CNs are listed below.\r\nFigure 11: First example of interesting RDP cert common name\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 13 of 14\n\nFigure 12: Another example of RDP cert\r\nFigure 13: Final example of similar RDP certificates\r\nConclusion\r\nHopefully, you enjoyed this post highlighting how looking outside default detection signatures can unveil\r\nmalicious infrastructure. While most servers relied on standard communication ports, an interesting subset of 12\r\nIPs utilized an HTTP server on port 53, raising questions about targeted deployment or misconfigurations.\r\nIf you haven't already, apply for an account and join me in researching additional ShadowPad servers.\r\nRemaining IPs/Domains\r\nSource: https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nPage 14 of 14\n\n  https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates \nFigure 4: Tagging of ports using the Dell certificate in the Hunt platform\n   Page 5 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates"
	],
	"report_names": [
		"tracking-shadowpad-infrastructure-via-non-standard-certificates"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/780c33fe155039f188908882e7bf1b2411bd341c.pdf",
		"text": "https://archive.orkl.eu/780c33fe155039f188908882e7bf1b2411bd341c.txt",
		"img": "https://archive.orkl.eu/780c33fe155039f188908882e7bf1b2411bd341c.jpg"
	}
}