{ "id": "f944bc92-83c8-4a7e-a214-905b72e631f0", "created_at": "2026-04-06T00:08:17.95436Z", "updated_at": "2026-04-10T13:11:43.046711Z", "deleted_at": null, "sha1_hash": "d2e86ebc2b883824ec38db0b5d558d53dea6b0ff", "title": "Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1192434, "plain_text": "Moshen Dragon’s Triad-and-Error Approach | Abusing Security\r\nSoftware to Sideload PlugX and ShadowPad\r\nBy Joey Chen\r\nPublished: 2022-05-02 · Archived: 2026-04-05 14:39:25 UTC\r\nBy Joey Chen and Amitai Ben Shushan Ehrlich\r\nExecutive Summary\r\nSentinelLabs researchers are tracking the activity of a Chinese-aligned cyberespionage threat actor\r\noperating in Central-Asia, dubbed ‘Moshen Dragon’.\r\nAs the threat actor faced difficulties loading their malware against the SentinelOne agent, we observed an\r\nunusual approach of trial-and-error abuse of traditional antivirus products to attempt to sideload malicious\r\nDLLs.\r\nMoshen Dragon deployed five different malware triads in an attempt to use DLL search order hijacking to\r\nsideload ShadowPad and PlugX variants.\r\nMoshen Dragon deploys a variety of additional tools, including an LSA notification package and a passive\r\nbackdoor known as GUNTERS.\r\nOverview\r\nSentinelLabs recently uncovered a cluster of activity targeting the telecommunication sector in Central Asia,\r\nutilizing tools and TTPs commonly associated with Chinese APT actors. The threat actor systematically utilized\r\nsoftware distributed by security vendors to sideload ShadowPad and PlugX variants. Some of the activity partially\r\noverlaps with threat groups tracked by other vendors as RedFoxtrot and Nomad Panda. We track this cluster of\r\nactivity as ‘Moshen Dragon’.\r\nUsually, good detection has an inverse relationship with visibility of a threat actor’s TTPs. When part of an\r\ninfection chain gets detected, it usually means that we don’t get to see what the threat actor intended to deploy or\r\nultimately do. In an unexpected twist, our detection capabilities uncovered an unusual TTP as Moshen Dragon\r\nattempted to repeatedly bypass that detection.\r\nEvery time the intended payload was blocked, we were able to witness the actor’s reliance on a wide variety of\r\nlegitimate software leveraged to sideload ShadowPad and PlugX variants. Many of these hijacked programs\r\nbelong to security vendors, including Symantec, TrendMicro, BitDefender, McAfee and Kaspersky.\r\nRather than criticize any of these products for their abuse by an insistent threat actor, we remind readers that this\r\nattack vector reflects an age-old design flaw in the Windows Operating System that allows DLL search order\r\nhijacking. Tracking of additional Moshen Dragon loading mechanisms and hijacked software surfaced more\r\npayloads uploaded to VirusTotal, some of which were recently published under the name ‘Talisman’.\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 1 of 7\n\nIn addition to ShadowPad and the PlugX Talisman variant, the Moshen Dragon deployed a variety of other tools,\r\nincluding an LSA notification package to harvest credentials and a passive loader dubbed GUNTERS by Avast.\r\nDespite all of this visibility, we are still unable to determine their main infection vector. Their concerted efforts\r\ninclude the use of known hacking tools, red team scripts, and on-keyboard attempts at lateral movement and data\r\nexfiltration.\r\nWe will focus on the actor’s insistent abuse of different AV products to load malicious payloads in an attempt to\r\n‘bruteforce’ infection chains that would go undetected by traditional SOC and MDR solutions.\r\nHijacking Security Products\r\nMoshen Dragon actors systematically abused security software to perform DLL search order hijacking. The\r\nhijacked DLL is in turn used to decrypt and load the final payload, stored in a third file residing in the same folder.\r\nThis combination is recognized as a sideloading triad, a technique commonly associated with Lucky Mouse.\r\nThe way the payloads were deployed, as well as other actions within target networks, suggest the threat actor uses\r\nIMPACKET for lateral movement. Upon execution, some of the payloads will achieve persistence by either\r\ncreating a scheduled task or a service.\r\nExecution flow of hijacked software as carried out by Moshen Dragon\r\nAs major portions of the Moshen Dragon activity were identified and blocked, the threat actor consistently\r\ndeployed new malware, using five different security products to sideload PlugX and ShadowPad variants.\r\nA summary of the hijacked software is presented in the table below:\r\nProduct Path\r\nSymantec\r\nSNAC\r\nC:\\Windows\\AppPatch, C:\\ProgramData\\SymantecSNAC,\r\nC:\\ProgramData\\Symantec\\SNAC, C:\\Windows\\Temp\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 2 of 7\n\nTrendMicro\r\nPlatinum Watch\r\nDog\r\nC:\\Windows\\ AppPatch\r\nBitDefender\r\nSSL Proxy Tool\r\nC:\\ProgramData\\Microsoft\\Windows, C:\\ProgramData\\Microsoft\\Windows\\LfSvc,\r\nC:\\ProgramData\\Microsoft\\Windows\\WinMSIPC,\r\nC:\\ProgramData\\Microsoft\\Windows\\ClipSVC, C:\\ProgramData\\Microsoft\\Wlansvc,\r\nC:\\ProgramData\\Microsoft\\Windows\\Ringtones\r\nMcAfee Agent\r\nC:\\ProgramData\\McAfee, C:\\ProgramData\\Microsoft\\WwanSvc,\r\nC:\\ProgramData\\Microsoft\\WinMSIPC\r\nKaspersky\r\nAnti-Virus\r\nLauncher\r\nC:\\ProgramData\\Microsoft\\XboxLive, C:\\programdata\\GoogleUpdate\r\nLateral Movement Using Impacket\r\nImpacket is a collection of Python classes for working with network protocols, commonly utilized by threat actors\r\nfor lateral movement. One of the favorite tools in the Impacket arsenal is wmiexec , which enables remote code\r\nexecution via WMI. An effective way to identify wmiexec execution is searching for the unique command line\r\npattern it creates. Moshen Dragon activities are rife with this pattern.\r\nLateral Movement utilizing Impacket as identified by the SentinelOne Agent\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 3 of 7\n\nLSA Notification Package – SecureFilter\r\nWhen on domain controllers, Moshen Dragon dropped a password filter and loaded it into the lsass process via\r\nLSA Notification packages. Impacket is used in the following manner:\r\ncmd.exe /Q /c REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Notification Packages\" /t REG_M\r\nThe DLL deployed is dropped in the path C:\\Windows\\System32\\SecureFilter.dll in order to enable loading\r\nusing the Notification Package feature. The DLL seems to rely on an open source project named\r\nDLLPasswordFilterImplant, effectively writing changed user passwords to the file\r\nC:\\Windows\\Temp\\Filter.log .\r\nSnippet from SecureFilter.dll\r\nGUNTERS – A Passive Loader\r\nDuring our analysis of Moshen Dragon’s activities, we came across a passive loader previously discussed by Avast\r\nas ‘GUNTERS’. This backdoor appears to be highly targeted as it performs checks to verify that it is executed on\r\nthe right machine.\r\nBefore execution, the malware calculates the hash of the machine hostname and compares it to a hardcoded value,\r\nsuggesting that the threat actor generates a different DLL for each target machine.\r\nThe loader utilized WinDivert to intercept incoming traffic, searching for a magic string to initiate a decrypting\r\nprocess utilizing a custom protocol. Following the decryption process, the malware attempts to load a PE file with\r\nan exported function named SetNtApiFunctions , which it calls to launch the payload.\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 4 of 7\n\nExported functions of an internal GUNTERS resource utilized in the loading process\r\nA thorough analysis of the custom protocol and loading mechanism is available here.\r\nAdditional Payloads\r\nSentinelLabs came across additional related artifacts overlapping with this threat cluster. It’s possible that some of\r\nthose were utilized by Moshen Dragon or a related actor.\r\nFile name SHA1 C\u0026C\r\nSNAC.log e9e8c2e720f5179ff1c0ac30ce017224ac0b2f1b freewula.strangled.net szuunet.strangled.net\r\nSNAC.log b6c6c292cbd35298a5f055448177bcfd5d0b23bf final.staticd.dynamic-dns.net\r\nSNAC.log 2294ecbbb065c517bd0e01f3f01aabd0a0402f5a dhsg123.jkub.com\r\nbdch.tmp 7021a62b68751b7a3a2984b2996139aca8d19fec greenhugeman.dns04.com\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 5 of 7\n\nAfter analyzing these payloads, we found them to be additional PlugX and ShadowPad variants. SNAC.log\r\npayloads have been identified by other researchers as Talisman, which is known to be another variant of PlugX. In\r\naddition, the bdch.tmp payload was produced by shellcode with a structure similar to ShadowPad malware but\r\nwithout the initial code obfuscation and decryption logic typically seen in ShadowPad.\r\nConclusion\r\nPlugX and Shadowpad have a well-established history of use among Chinese-speaking threat actors primarily for\r\nespionage activity. Those tools have flexible, modular functionality and are compiled via shellcode to easily\r\nbypass traditional endpoint protection products.\r\nHere we focused on Moshen Dragon TTPs observed during an unusual engagement that forced the threat actor to\r\nconduct multiple phases of trial-and-error to attempt to deploy their malware. Once the attackers have established\r\na foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network,\r\nplacing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure\r\nunlimited access, and focusing on data exfiltration.\r\nSentinelLabs continue to monitor Moshen Dragon activity as it unfolds.\r\nIndicators of Compromise\r\nHijacked DLLs\r\nef3e558ecb313a74eeafca3f99b7d4e038e11516\r\n3c6a51961aa328ba507796153234309a5e83bee3\r\nfae572ad1beab78e293f756fd53cf71963fdb1bd\r\n308ed56dc1fbc98b574f937d4b005190c878416f\r\n55e89f458b5f5642300dd7c50b444232e37c3fa7\r\nPayloads\r\ne9e8c2e720f5179ff1c0ac30ce017224ac0b2f1b\r\nb6c6c292cbd35298a5f055448177bcfd5d0b23bf\r\n2294ecbbb065c517bd0e01f3f01aabd0a0402f5a\r\n7021a62b68751b7a3a2984b2996139aca8d19fec\r\nPassword Filter\r\nc4f1177f68676b770934b142f9c3e2c4eff7f164\r\nGUNTERS\r\nbb68816f324f2ac4f0d4756b66af67d01c8b6e4e\r\n4025e14a7f8928753ba06ad155944624069497dc\r\nf5b8ab4a7d9c723c2b3b842b49f66da2e1697ce0\r\nInfrastructure\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 6 of 7\n\nfreewula.strangled[.]net\r\nszuunet.strangled[.]net\r\nfinal.staticd.dynamic-dns[.]net\r\ndhsg123.jkub[.]com\r\ngreenhugeman.dns04[.]com\r\ngfsg.chickenkiller[.]com\r\npic.farisrezky[.]com\r\nSource: https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadow\r\npad/\r\nhttps://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/" ], "report_names": [ "moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "c09dd7ba-3b6c-4a02-9ae6-949b0afc0b16", "created_at": "2023-01-06T13:46:38.907191Z", "updated_at": "2026-04-10T02:00:03.141637Z", "deleted_at": null, "main_name": "NOMAD PANDA", "aliases": [], "source_name": "MISPGALAXY:NOMAD PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "df299f24-89cb-47e3-9515-c018bb501443", "created_at": "2023-11-21T02:00:07.383392Z", "updated_at": "2026-04-10T02:00:03.473887Z", "deleted_at": null, "main_name": "Moshen Dragon", "aliases": [], "source_name": "MISPGALAXY:Moshen Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434097, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2e86ebc2b883824ec38db0b5d558d53dea6b0ff.pdf", "text": "https://archive.orkl.eu/d2e86ebc2b883824ec38db0b5d558d53dea6b0ff.txt", "img": "https://archive.orkl.eu/d2e86ebc2b883824ec38db0b5d558d53dea6b0ff.jpg" } }