{
	"id": "0c7f1b6e-b88f-4199-a2ac-836adf240875",
	"created_at": "2026-04-06T00:13:15.519542Z",
	"updated_at": "2026-04-10T03:21:37.849725Z",
	"deleted_at": null,
	"sha1_hash": "c3f02d9bf57696c07b7a61bee9b56ccecee66dfc",
	"title": "Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56902,
	"plain_text": "Chasing Shadows: A deep dive into the latest obfuscation methods\r\nbeing used by ShadowPad\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-02 11:49:43 UTC\r\nAppendix A – Indicators of compromise\r\nIndicator Type  \r\n9cbfa03a65e6cd4b62b2aa60a4cc4785b824378f735de2596a1195b75f71ecf3 SHA-256  \r\ndbb02aaea56a1f0200b76f3f5b2d3596622503633285c7798b4248e0a558f01c SHA-256  \r\nd29113e3417dcba9d0e2d540fc53f702869dc7dc018a6b053bc3f70b4e55e436 SHA-256  \r\n5f1a21940be9f78a5782879ad54600bd67bfcd4d32085db7a3e8a88292db26cc SHA-256  \r\n0371fc2a7cc73665971335fc23f38df2c82558961ad9fc2e984648c9415d8c4e SHA-256  \r\nfb17b3886685887aeb8f7c3496c6f7ef06702ec1232567278286c2f8ec4351bb SHA-256  \r\n26de542f77da51071389463fad1a50c687b70d902bbd0800db6c959e40dff755 SHA-256  \r\n8065da4300e12e95b45e64ff8493d9401db1ea61be85e74f74a73b366283f27e SHA-256  \r\nc0fbb71af4863db0cd82942974957088908f815ef7f02b197834e22d02d4a460 SHA-256  \r\nc0aae2d5e77acb8b35037f3cd3b76e92eebdb1c53cf3775921bd6f64d94e9a99 SHA-256  \r\n991511785a05f4dfbf1212e3fb69ff3b666659ecba5f3e5e9c8fbe9804afd23c SHA-256  \r\n943778353ce3af1043ec161ef18c9ba3e1ad6a9915dfe1783dff7aac8b53df16 SHA-256  \r\n7579e864d47898f1322bb189bdd21b537b40e549149318ce8409f1d57233fa48 SHA-256  \r\nc951a1d1294c46c995189dce4a70da0460dd19c0b7136a4905f41212cdead0c7 SHA-256  \r\n7c8b6dfcdbcb6e0d87513eec841302a202e7371cdff16101d1594ea34a8dd1af SHA-256  \r\nc602456fae02510ff182b45d4ffb69ee6aae11667460001241685807db2e29c3 SHA-256  \r\n5e7e336bc7b489c3d4c59af861580ed73a5731d26560488bce03befdef9faadf SHA-256  \r\nc72436969d708905901ac294d835abb1c4513f8f26cb16c060d2fd902e1d5760 SHA-256  \r\ndbb32cb933b6bb25e499185d6db71386a4b5709500d2da92d377171b7ff43294 SHA-256  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 1 of 11\n\n37417f300e1382b5b1b93e0be675ba8ab2d418747ea3fa015329f7ca405ae603 SHA-256  \r\nc738af04c5b531abdb303a68cfb8994bb8db6e088bf99b45f85bdb863d3fb3e5 SHA-256  \r\nffc5bc143ab2320ae6989ccdf8c37a3d7c3c51c09eabf5a94ada86ab7c3abebd SHA-256  \r\na8e5a1b15d42c4da97e23f5eb4a0adfd29674844ce906a86fa3554fc7e58d553 SHA-256  \r\n1e06fd5b9aa0e5260369e52ec2d9f87060941de835234afd198b1d4c0b161678 SHA-256  \r\n7cbd4339c33af40c70d27256cf3ec473bea588ac33ddfa64a8771344c82d9e6c SHA-256  \r\ncb5f8759831829614b82ed4a3bf1ac3f27f1640faf2a1f15ba728751e2fa44fa SHA-256  \r\n04089c1f71d62d50cbd8009dfd557aa1e6db1492a9fa2b35902182c07a0ed1c1 SHA-256  \r\n531e54c055838f281d19fed674dbc339c13e21c71b6641c23d8333f6277f28c0 SHA-256  \r\n042541cc39bafdcb0565ee468359ef575256f5adfda0e53c915ecdbbedd91316 SHA-256  \r\n5a151aa75fbfc144cb48595a86e7b0ae0ad18d2630192773ff688ae1f42989b7 SHA-256  \r\nf768bd36e88ffa496e7b6c538f2259cbdab0317e88432a99050f550b4c9f2f12 SHA-256  \r\n8d1a5381492fe175c3c8263b6b81fd99aace9e2506881903d502336a55352fef SHA-256  \r\na41348407e01886e76baf7cb8bb0efcf790b213cab87924b8a4f6bf8a9502350 SHA-256  \r\nf8c5e93d6114f5a69d1544504d9d7f6a1d7397e3e5e0cce8e24e6d7b884c109e SHA-256  \r\n2a3cf204dcc977df6347a039428ae863066700cecfac965dcaeb7b9bd61bc1b6 SHA-256  \r\n15371908d89caef3f4487298a452e58732d9f671f2c6a1f07036d123ce3c840d SHA-256  \r\n96dc16bbc0f3e6e80fba447e3a3e1085fddf8e97edf286ee8b3fd82954f565bb SHA-256  \r\n39f92aed5dfa2cd20ae7df11e16acce9bb2e80c7e6539bc81f352d42ab578eb6 SHA-256  \r\n8396e35b19f906f9c6e342e6cd90ab8bbbecc90f9090b0afe68f4fa53530bc33 SHA-256  \r\nebe4347e993c81d145b68a788522d5c554edfa74c35e9e61ededd6c510e80c75 SHA-256  \r\n02a18df00e241f82cecb7477f661ebe3f26012cdfc5b8172d634c07af4468130 SHA-256  \r\nf7ef194f2dcc341ba03f76872cb7c0dfbae8f79118f99cf73dfccfb146c4e966 SHA-256  \r\nf4effcf4d7321be824fd637b27f404250d0b1f03205bbc0682022d61aba5801e SHA-256  \r\n06539163f71f8bd496db75ccb41db820 MD5  \r\n493698b1d7acfbf57848b964b4b0ae97 MD5  \r\n69be59f365f74b406e505a8c0e128047 MD5  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 2 of 11\n\nbf98b795957d40ed8e0c52403af659d2 MD5  \r\n8b9436c358a1d7f0ca61eca81b5025f7 MD5  \r\n4ad23aae3409c31d3d72e1d10e9d957d MD5  \r\nffbadead054d1eac270f1a24d02e8a1f MD5  \r\n3520e591065d3174999cc254e6f3dbf5 MD5  \r\na22fce6e7c1b2d129602ff938a2ac039 MD5  \r\nad82d23accb10b4c0fc7f8c9782ae6ad MD5  \r\n2a4976a82a07016bd1b5de1a372d8e15 MD5  \r\n3e372906248b215ea0ee853cb4e29dd8 MD5  \r\nab8b13f3a93baaa36b730cb42434620a MD5  \r\n67329d4239551b51c481062b5d38a687 MD5  \r\n18b391d91883979fc2df9e13c8aee075 MD5  \r\n529e9edc37b668e13be6b077a399f195 MD5  \r\n42988a0bd2bbdf4454d5d15a2733aa31 MD5  \r\nea6be331b5fa349a2fa464b062043b0e MD5  \r\nd50b9ca68a3a650016e64ab4c3ff8e4c MD5  \r\n409b27c8eab8b043cfe8854ca22799b3 MD5  \r\n70477683ea5a7e193bb80c6cf01da8dd MD5  \r\n373eacf3ffd1b5722f9d3c1595092b4c MD5  \r\nd7e153c2957a519a1ee6734820e5efbd MD5  \r\n9563df80a0f9709baa909c25bdd64214 MD5  \r\n64cc83ba22f67c6c8c82c162f64a7c92 MD5  \r\n25f3713b9ff40b7fb1293213916c1dbc MD5  \r\nc486da41dda4f55f5bafa4f22d877495 MD5  \r\naf10f874ee9a24d4a8d5e515af9c24a2 MD5  \r\n9d3aaaf04c684bf6c90ada2030ceaea3 MD5  \r\n21779cdfbe7ce838d3adc11f42b64191 MD5  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 3 of 11\n\n5f3093473ae4167fd51d4282fce73741 MD5  \r\n42794ad1300ed3edb1ed2d1a473b77ad MD5  \r\n52c28bdb6b1fc4d77b1ea58dc8c1c810 MD5  \r\n73790e781a0b3c7f1e1e8f9fa8f9d239 MD5  \r\n5fe99a8f8cbfe46832478aa9c9634ed6 MD5  \r\n263b7fb02bb4c05c789d2c1de92e0007 MD5  \r\n24f73d5f67bc6cf0bccaade97e04fbca MD5  \r\nd2b97a3391c91d1577fb46963b8ef18a MD5  \r\naf78467a6cdbb4efa3894a30edef608b MD5  \r\n9d3a9edec791cb3eb7225be225337c1e MD5  \r\n7c8c3700757ddb5c6d423d88dd944065 MD5  \r\n4d6705979b4ba29e44d3178ac979e1c6 MD5  \r\n5fcdb89a3b2eb7ff31c5122e8f145277 MD5  \r\nff46982c58cf9cd0371e187a6c0dd6f7712c084c SHA-1  \r\n880fa69a6efd8de68771d3df2f9683107fb484c0 SHA-1  \r\n0cfba69898627c620575cadfff92130429dcd019 SHA-1  \r\nea43dbef69af12404549bc45fda756bfefcb3d88 SHA-1  \r\ncad05dec778a6dbdeb170a63bbbd18271b56d719 SHA-1  \r\naddf67b8bcb8074927431bdfe3e3c867b07f5333 SHA-1  \r\n7db78548aae9e4872b06ee9e79c29553947db3d6 SHA-1  \r\nc73329dfbe99de4abb93b4fda6310a0c5eedd8f9 SHA-1  \r\n47cdaf6c5c3fffeeff1f2c9e6c7649f99ab54932 SHA-1  \r\n3342ad3a686be7a873409ae01cfab2eb0b621840 SHA-1  \r\n215404d27c6a63a47561d6ab5258af26843b1769 SHA-1  \r\n34ce0df62814e3a2430784836914c629d49f22b1 SHA-1  \r\nc62b977c93979effb48a1614956c2a788abb22fe SHA-1  \r\nfa397effbb1d2d9b276d9d109e79ef89790729bc SHA-1  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 4 of 11\n\n6512750a9da8c81c6b7c5b5301a60d4962c0c41b SHA-1  \r\nb885b9c4a9cd7872cd995198834471e52219ae41 SHA-1  \r\nf8e4b7bd1cc973be7540f731028953073430759a SHA-1  \r\n6966687463365f08cfb25fd2c47c6e9a27af22b0 SHA-1  \r\n9605ad1bf0432ffb148d422099e23eaa26bed4c8 SHA-1  \r\n30c63b1e252ea0dc72b97785c1874ab7b6ddef43 SHA-1  \r\n48daf01f86cfc9f22c446d602f0cdbd4b763dfc8 SHA-1  \r\nb73134449329fd640a6de94a36cbcbebb4d5f541 SHA-1  \r\n363e32fafd2732b3cfb53dfd39bef56da1affd7f SHA-1  \r\ne96759fcb766744a7aae9692947b4ed4ba77ce37 SHA-1  \r\n55811e2fade5fa4412bd5ff7f17eca79887d6aff SHA-1  \r\na36e63f41ee3fdfaf2a826c0b6e7728af546981e SHA-1  \r\n44fc5b13ac3947a3be3fff7808d5d664d7258cb9 SHA-1  \r\n03a47494b76aa6feed68053e44c0a2fde6172ea5 SHA-1  \r\n494d8239650f3acb0b946f0d00f6dbc9c2c05be0 SHA-1  \r\n1c997ddb204bc597f937a07665511ae7d9d98661 SHA-1  \r\nc227d3cdcb39b56eddb7ab62d0da62f006207764 SHA-1  \r\nd4086a747566d5a7b0e80f0c977e1e6db3410d26 SHA-1  \r\ne2898e362dd19a0fb6f317d559cbdb78eac6488c SHA-1  \r\n9853fe35e1b6e06b53ad2234d4fa2156fa5ccf97 SHA-1  \r\nf6f6f352fa58d587c644953e4fd1552278827e14 SHA-1  \r\nb224ae9ffd8119d773dedb1863d46725c29143f8 SHA-1  \r\n7cd459821ef2daea764df2f52c896e6ab00ed263 SHA-1  \r\n3f2ec5d5ae8be0394baff82bd5c08fcf8df0e754 SHA-1  \r\nfd492b013d52e061f101b6086c5c4902abb4b0e0 SHA-1  \r\nba985d268bca9ff3bf0b09ab63085b57f52d3574 SHA-1  \r\n1bbc81db4d2d98a1cf29d4f84d065c6556f7caed SHA-1  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 5 of 11\n\n12118603b97e6b3d3a8cb6e48ec7351e160da445 SHA-1  \r\n93fec58769f40285b5a76106377644924d0c1dd0 SHA-1  \r\n5zsi53pi6uu[.]livehost[.]live Domain  \r\ncoivo2xo[.]livehost[.]live Domain  \r\nui79zm8o9b[.]livehost[.]live Domain  \r\nqrvc7pdnbf[.]symantecupd[.]com Domain  \r\npow2u24h7[.]wikimedia[.]vip Domain  \r\nvt[.]livehost[.]live Domain  \r\nc5t7dvucq[.]symantecupd[.]com Domain  \r\n1dfpi2d8kx[.]wikimedia[.]vip Domain  \r\ndns[.]dnslookup[.]services Domain  \r\nbsyu[.]dnslookup[.]services Domain  \r\n2og8qfrkrk[.]symantecupd[.]com Domain  \r\ntest[.]wikimedia[.]vip Domain  \r\ndust[.]dnslookup[.]services Domain  \r\ndntc[.]livehost[.]live Domain  \r\nfljhcqwe[.]com Domain  \r\n5q4qp9trwi[.]dnslookup[.]services Domain  \r\nwww[.]livehost[.]live Domain  \r\nbj0wyck5v5[.]livehost[.]live Domain  \r\n7ec8txihoa[.]dnslookup[.]services Domain  \r\nwikimedia[.]vip Domain  \r\n4yti11wlo5[.]livehost[.]live Domain  \r\ncigy2jft92[.]kasprsky[.]info Domain  \r\n6q4qp9trwi[.]dnslookup[.]services Domain  \r\nsci[.]livehost[.]live Domain  \r\n524ce3dm8h[.]symantecupd[.]com Domain  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 6 of 11\n\nlmogv[.]dnslookup[.]services Domain  \r\ndlbo92v2ef[.]livehost[.]live Domain  \r\nbctu[.]dnslookup[.]services Domain  \r\nwcuhk[.]livehost[.]live Domain  \r\nhccadkml89[.]dnslookup[.]services Domain  \r\nr1d3wg7xofs[.]livehost[.]live Domain  \r\njn3thp2wl6[.]symantecupd[.]com Domain  \r\nd89o0gm34t[.]livehost[.]live Domain  \r\ncoivotek[.]livehost[.]live Domain  \r\na[.]fljhcqwe[.]com Domain  \r\nevbyo7jj0v[.]livehost[.]live Domain  \r\nwww[.]wikimedia[.]vip Domain  \r\nbm2l41risv[.]livehost[.]live Domain  \r\nwntc[.]livehost[.]live Domain  \r\n69gy9k6wc2[.]symantecupd[.]com Domain  \r\nwvt[.]livehost[.]live Domain  \r\nm2[.]livehost[.]live Domain  \r\ndns[.]livehost[.]live Domain  \r\n8hh3aktk2[.]kasprsky[.]info Domain  \r\n1160idswz5[.]kasprsky[.]info Domain  \r\nfiles[.]windowshostnamehost[.]club Domain  \r\n8hh3aktk[.]kasprsky[.]info Domain  \r\nwiki[.]windowshostnamehost[.]club Domain  \r\nwindowshostnamehost[.]club Domain  \r\n6lh9bgi4n[.]symantecupd[.]com Domain  \r\nv2ray[.]windowshostnamehost[.]club Domain  \r\n5s2zm07ao[.]wikimedia[.]vip Domain  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 7 of 11\n\nb3d3fn9n[.]kasprsky[.]info Domain  \r\n6czumi0fbg[.]symantecupd[.]com Domain  \r\nns2[.]windowshostnamehost[.]club Domain  \r\ndbtwcse10sd[.]kasprsky[.]info Domain  \r\nmx[.]windowshostnamehost[.]club Domain  \r\nwfftm5kcj[.]kasprsky[.]info Domain  \r\nwlamazcsrv1[.]windowshostnamehost[.]club Domain  \r\ncde858l2yf[.]kasprsky[.]info Domain  \r\nbnmyphvq[.]wikimedia[.]vip Domain  \r\nlocal[.]windowshostnamehost[.]club Domain  \r\njuv0cumdo3[.]kasprsky[.]info Domain  \r\nfelzeaxrs8hd[.]kasprsky[.]info Domain  \r\nc2[.]windowshostnamehost[.]club Domain  \r\n687eb876e047[.]kasprsky[.]info Domain  \r\na6olaxgd[.]kasprsky[.]info Domain  \r\nur1lwzh2qp[.]kasprsky[.]info Domain  \r\nhostmaster[.]wikimedia[.]vip Domain  \r\nbc[.]windowshostnamehost[.]club Domain  \r\ndb311secsd[.]kasprsky[.]info Domain  \r\narress[.]windowshostnamehost[.]club Domain  \r\nwww[.]kasprsky[.]info Domain  \r\n7hln9yr3y6[.]symantecupd[.]com Domain  \r\nvwlamazcsrv1[.]windowshostnamehost[.]club Domain  \r\nv3hagesrj[.]symantecupd[.]com Domain  \r\nz16sxt822s[.]symantecupd[.]com Domain  \r\ndnslookup[.]services Domain  \r\nybk47i6z8q[.]wikimedia[.]vip Domain  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 8 of 11\n\nd89o0gm35t[.]livehost[.]live Domain  \r\nzk4c9u55[.]wikimedia[.]vip Domain  \r\ndsyu[.]livehost[.]live Domain  \r\nwsyu[.]livehost[.]live Domain  \r\nsc[.]livehost[.]live Domain  \r\nw0eew6nkmb[.]livehost[.]live Domain  \r\nr315imowtg[.]symantecupd[.]com Domain  \r\no56n1tosy[.]livehost[.]live Domain  \r\nti0wddsnv[.]wikimedia[.]vip Domain  \r\nsymantecupd[.]com Domain  \r\nwctu[.]livehost[.]live Domain  \r\n4iiiessb[.]wikimedia[.]vip Domain  \r\ntei1sw0d98[.]symantecupd[.]com Domain  \r\nlivehost[.]live Domain  \r\nnslookup[.]club Domain  \r\nkasprsky[.]info  Domain  \r\n60.250.18[.]188 IPv4  \r\n141.164.35[.]117 IPv4  \r\n139.180.135[.]175 IPv4  \r\n66.42.44[.]130 IPv4  \r\n182.162.136[.]235 IPv4  \r\n128.199.232[.]13 IPv4  \r\n182.16.112[.]226 IPv4  \r\n149.28.145[.]214 IPv4  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 9 of 11\n\n207.148.78[.]244 IPv4  \r\n207.148.99[.]56 IPv4  \r\n149.28.152[.]196 IPv4  \r\n139.180.135[.]200 IPv4  \r\n158.247.219[.]236 IPv4  \r\n207.148.98[.]61 IPv4  \r\n45.76.100[.]224 IPv4  \r\n139.180.187[.]35 IPv4  \r\n158.247.217[.]102 IPv4  \r\n45.76.148[.]41 IPv4  \r\n141.164.61[.]70 IPv4  \r\n141.164.63[.]174 IPv4  \r\n202.182.96[.]238 IPv4  \r\n139.180.141[.]227 IPv4  \r\n158.247.206[.]194 IPv4  \r\n139.180.156[.]26 IPv4  \r\n112.121.168[.]2 IPv4  \r\n141.164.62[.]81 IPv4  \r\n108.160.134[.]80 IPv4  \r\n5bcd1346428b6d7f1f19c0f175d96800c5a0951d SSL SHA-1 fingerprint\r\n743f1ef860a1cad5c046cb0099c479acf6815b97 SSL SHA-1 fingerprint\r\n61c39c6c60f7a45ff18806ed855985ef48d954ef SSL SHA-1 fingerprint\r\nf1f5fe0dd96e165e049b8a7d508ccd951c7cca0b SSL SHA-1 fingerprint\r\n9575b444beeed7a16d639223b08e18e29b5eb5a4 SSL SHA-1 fingerprint\r\nc9b276bd2166c95726fbe33f126fa0a014f84a36 SSL SHA-1 fingerprint\r\n5aa19bfcbc980d65df184e644053bf4732929d8e SSL SHA-1 fingerprint\r\nlog.dll.dat Filename  \r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 10 of 11\n\nsecur32.dll.dat Filename  \r\nmscoree.dll.dat Filename  \r\nSource: https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nhttps://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "VI",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html"
	],
	"report_names": [
		"chasing-shadows.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434395,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3f02d9bf57696c07b7a61bee9b56ccecee66dfc.pdf",
		"text": "https://archive.orkl.eu/c3f02d9bf57696c07b7a61bee9b56ccecee66dfc.txt",
		"img": "https://archive.orkl.eu/c3f02d9bf57696c07b7a61bee9b56ccecee66dfc.jpg"
	}
}