{ "id": "63d6981a-f02b-40fc-8b70-3b16ac2e8fe4", "created_at": "2026-04-06T00:18:56.704877Z", "updated_at": "2026-04-10T03:32:21.602493Z", "deleted_at": null, "sha1_hash": "e887e4006215baca78e47fcfecd8a99683329220", "title": "ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55050, "plain_text": "ShadowPad: How Attackers hide Backdoor in Software used by\r\nHundreds of Large Companies around the World\r\nBy Kaspersky\r\nPublished: 2017-08-15 · Archived: 2026-04-05 16:19:53 UTC\r\nShadowPad is one of the largest known supply-chain attacks. Had it not been detected and patched so\r\nquickly, it could potentially have targeted hundreds of organizations worldwide.\r\nKaspersky Lab experts have discovered a backdoor planted in a server management software product used\r\nby hundreds of large businesses around the world. When activated, the backdoor allows attackers to\r\ndownload further malicious modules or steal data. Kaspersky Lab has alerted NetSarang, the vendor of the\r\naffected software, and it has promptly removed the malicious code and released an update for customers.\r\nShadowPad is one of the largest known supply-chain attacks. Had it not been detected and patched so quickly, it\r\ncould potentially have targeted hundreds of organizations worldwide.\r\nIn July, 2017 Kaspersky Lab’s Global Research and Analysis (GReAT) team was approached by one of its partners\r\n– a financial institution. The organization’s security specialists were worried about suspicious DNS (domain name\r\nserver) requests originating on a system involved in the processing of financial transactions. Further investigation\r\nshowed that the source of these requests was server management software produced by a legitimate company and\r\nused by hundreds of customers in industries like financial services, education, telecoms, manufacturing, energy,\r\nand transportation. The most worrying finding was the fact that the vendor did not mean for the software to make\r\nthese requests.\r\nFurther Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a\r\nmalicious module hidden inside a recent version of the legitimate software. Following the installation of an\r\ninfected software update, the malicious module would start sending DNS-queries to specific domains (its\r\ncommand and control server) at a frequency of once every eight hours. The request would contain basic\r\ninformation about the victim system (user name, domain name, host name). If the attackers considered the system\r\nto be “interesting”, the command server would reply and activate a fully-fledged backdoor platform that would\r\nsilently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor\r\nplatform would be able to download and execute further malicious code.\r\nFollowing the discovery, Kaspersky Lab researchers immediately contacted NetSarang. The company reacted fast\r\nand released an updated version of the software without the malicious code.\r\nSo far, according to Kaspersky Lab research, the malicious module has been activated in Hong Kong, but it could\r\nbe lying dormant on many other systems worldwide, especially if the users have not installed the updated version\r\nof the affected software.\r\nhttps://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world\r\nPage 1 of 3\n\nWhile analyzing the tools, techniques and procedures used by the attackers, KL researchers came to the\r\nconclusion that some similarities exist that point to PlugX malware variants used by the Winnti APT, a known\r\nChinese-speaking cyberespionage group. This information, however, is not enough to establish a precise\r\nconnection to these actors.\r\n“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the\r\nopportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and\r\nagain with some other widely used software component. Luckily NetSarang was fast to react to our notification\r\nand released a clean software update, most likely preventing hundreds of data stealing attacks against its clients.\r\nHowever, this case shows that large companies should rely on advanced solutions capable of monitoring network\r\nactivity and detecting anomalies. This is where you can spot malicious activity even if the attackers were\r\nsophisticated enough to hide their malware inside legitimate software,” said Igor Soumenkov, security expert,\r\nGlobal Research and Analysis Team, Kaspersky Lab.\r\nNetSarang Statement\r\n“To combat the ever-changing landscape of cyberattacks NetSarang has incorporated various methods and\r\nmeasures to prevent our line of products from being compromised, infected, or utilized by cyberespionage groups.\r\nRegretfully, the Build release of our full line of products on July 18th, 2017 was unknowingly shipped with a\r\nbackdoor which had the potential to be exploited by its creator.\r\nThe security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that\r\nmalicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing\r\nconcern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.\r\nNetSarang is committed to its users’ privacy and has incorporated a more robust system to ensure that never\r\nagain will a compromised product be delivered to its users. NetSarang will continue to evaluate and improve our\r\nsecurity not only to combat the efforts of cyber espionage groups around the world but also in order to regain the\r\ntrust of its loyal user base.”\r\nAll Kaspersky Lab products detect and protect against the ShadowPad malware as\r\n“Backdoor.Win32.ShadowPad.a”.\r\nKaspersky Lab advises users to updateimmediately to the latest version of the NetSarang software, from which the\r\nmalicious module has been removed, and to check their systems for signs of DNS queries to unusual domains. A\r\nlist of the command server domains used by the malicious module can be found in the Securelist blogpost, which\r\nalso includes further technical information on the backdoor.\r\nAbout Kaspersky Lab\r\nKaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s\r\ndeep threat intelligence and security expertise is constantly transforming into security solutions and services to\r\nprotect businesses, critical infrastructure, governments and consumers around the globe. The company’s\r\ncomprehensive security portfolio includes leading endpoint protection and a number of specialized security\r\nsolutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by\r\nhttps://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world\r\nPage 2 of 3\n\nKaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more\r\nat www.kaspersky.com.\r\nAbout NetSarang\r\nNetSarang Computer, Inc. develops, markets and supports secure connectivity solution in the global market. The\r\ncompany develops a family of PC X server and SSH client software for PC-to-Unix and PC-to-Linux, and is\r\nexpanding its TCP/IP network technologies to other Internet businesses. The company offers its products and\r\nservices to more than 90 countries around the world.\r\nSource: https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-larg\r\ne-companies-around-the-world\r\nhttps://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world" ], "report_names": [ "2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434736, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e887e4006215baca78e47fcfecd8a99683329220.pdf", "text": "https://archive.orkl.eu/e887e4006215baca78e47fcfecd8a99683329220.txt", "img": "https://archive.orkl.eu/e887e4006215baca78e47fcfecd8a99683329220.jpg" } }