{ "id": "c60970f7-08a2-4b39-8741-0751ec17fb43", "created_at": "2026-04-06T00:17:27.921773Z", "updated_at": "2026-04-10T03:37:54.292546Z", "deleted_at": null, "sha1_hash": "f00543563e8e8be9e2099a9577db3d0a8acf5972", "title": "It’s a BEE! It’s a… no, it’s ShadowPad.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5087292, "plain_text": "It’s a BEE! It’s a… no, it’s ShadowPad.\r\nBy asuna amawaka\r\nPublished: 2021-11-19 · Archived: 2026-04-05 18:36:41 UTC\r\nShadowPad, a malware name that is familiar to many, became widely known since 2017 through its participation\r\nin a series of supply-chain attacks in CCleaner, NetSarang and ASUS. There has been a lot of good work\r\ndescribing how clusters of activities by different threat actors (APT41, Fishmonger, Tonto Team, RedFoxTrot,\r\nBackdoorDiplomacy are all the “big names” we know) are linked by ShadowPad. I thought to join in the fun of\r\nreverse engineering one of the variant of ShadowPad that I found from VirusTotal. So let’s begin!\r\nSide-note: Kaspersky calls this variant “ShadowShredder” [1]. This variant has also been documented by\r\nPTSecurity [2] in Jan 2021 and was also recently in TeamT5’s presentation in VB2021localhost conference [3].\r\nThe malware trinity (DLL load-order attack) analyzed in this post:\r\nLegitimate EXE, bdreinit.exe (Bitdefender’s Crash Handler) — SHA256:\r\n386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD\r\nMalicious DLL, log.dll — SHA256:\r\n8D1A5381492FE175C3C8263B6B81FD99AACE9E2506881903D502336A55352FEF\r\nEncrypted Payload, log.dll.dat — SHA256:\r\n0371FC2A7CC73665971335FC23F38DF2C82558961AD9FC2E984648C9415D8C4E\r\nI found these files separately, so they may not be originally intended as a package. I managed to piece them\r\ntogether based on their filenames, and they work fine as a set. These files happened to have debugging strings\r\nincluded, which makes the analysis slightly more pleasing to follow.\r\nLet’s start with observations from dynamic analysis.\r\nHere’s what the log looked like in the debugger upon execution without breakpoints:\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 1 of 16\n\nPress enter or click to view image in full size\r\nlogged by x32dbg\r\nThe same debugging information is also written into a file C:\\ProgramData\\bee.log.\r\nPress enter or click to view image in full size\r\nbee.log\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 2 of 16\n\nmore of bee.log\r\nIt seems that I’ve picked up a test sample. The C2 domain configured within is a subdomain of wikimedia[.]vip,\r\nwhich has been associated with Funnydll and other ShadowPad samples.\r\nI’m curious about the author’s choice of name — What does “BEE” stand for?\r\nI extracted all the interesting filename strings, for reference if anyone is interested at guessing the full suite of\r\ncapabilities within ShadowPad:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 3 of 16\n\nsource filenames\r\nAnd here’s the list of debugging messages found in memory:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 4 of 16\n\ndebugging messages\r\nThe processes created are as such:\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 5 of 16\n\nlogged with APIMonitor\r\n“Test.exe” is a copy of bdreinit.exe and is part of the persistency mechanism of the malware — The EXE and DLL\r\nare started via Services, and the encrypted payload is loaded from Registry. I supposed if service installation fails,\r\nthen the malware shall persist through Run regkey.\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 6 of 16\n\nThe EXE and DLL are copied to C:\\ProgramData\\DRM\\Test (specified by configuration), while the DAT payload\r\nfile is deleted after the first execution. For subsequent executions, the payload is read from Registry.\r\nThe payload is re-encrypted by the malware before it is being written into the Registry for persistency. For some\r\nreasons, the initialization value used in the re-encryption algorithm is the compilation timestamp of the malicious\r\nDLL file, while the initialization value used in the original encryption algorithm is the first 4 bytes within the dat\r\nfile, hence the encrypted data seen in the registry differs from the log.dll.dat file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 7 of 16\n\nencrypted payload in registry\r\nPress enter or click to view image in full size\r\nencrypted payload file\r\nHere is the python script I used to decrypt the payload file log.dll.dat:\r\nAnd here is the script for decrypting the payload from registry:\r\nThe malware has keystroke logging capabilities, and the keystroke log file is encrypted and saved to a random-looking filepath in %PROGRAMDATA% like this:\r\nC:\\ProgramData\\MOO\\JKISIQ\\EWGSE\\LECIIOGK\r\nDecryption of the keystroke log file is done in the same manner as the configuration data (I’ll talk about how to\r\nget this in awhile):\r\nAnti-reverse engineering obfuscation\r\nNow, here comes details on how I handled the reverse engineering. This is slightly harder than usual, because of\r\nthe obfuscation technique used in the malware. The original malware binary is “shredded” into pieces, with 1\r\ninstruction per piece, and put back together with a “jumper” function as glue. Oh, and there are some junk “cmp”\r\nfollowed by “jb” instructions just to make your eyes hurt.\r\nLet’s see what it looks like in IDA.\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 8 of 16\n\nUp till this point at address 0x100011D6, everything is normal.\r\nPress enter or click to view image in full size\r\ndisassembly at beginning of malware logic\r\nThen came this jmp:\r\nFollowed by another call:\r\nIf we follow the instructions starting from 0x10004465, you will see something like this:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 9 of 16\n\nwithin “jumper” function\r\nIt looks terribly complicated, but all it does is to read the next dword after the call and add it to original intended\r\nreturn address.\r\nPress enter or click to view image in full size\r\nillustrate jumper (1)\r\nAnd these “bits and pieces” of instructions occur from here onwards, throughout the whole malware. The “real”\r\ninstruction that is part of the malware’s logic is the single instruction before the call to jumper. Trying to recover\r\nthese instructions makes me feel like I am picking up the pieces from the shredding machine and gluing them\r\nback.\r\nPress enter or click to view image in full size\r\nillustrate jumper (2)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 10 of 16\n\nillustrate jumper (3)\r\nPress enter or click to view image in full size\r\nillustrate jumper (4)\r\nPress enter or click to view image in full size\r\nillustrate jumper (5)\r\nPress enter or click to view image in full size\r\nillustrate jumper (6)\r\nAfter doing away with the jumper calls, here’s a snippet of recovered “shreds” of instructions:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 11 of 16\n\nI greyed out the junk “cmp” and “jb” instructions. Up till this point, the process of recovery is very manual, with\r\nabit of help from this IDAPython script I wrote:\r\nThe python script is not perfect — at some point it will fail to work as intended, and I will have to apply the script\r\nagain at the position where it failed. Furthermore, this manner of “advancing” through the disassembly in IDA\r\ndidn’t feel very efficient. As it turns out, using the “trace” feature in the debugger produced the expected results\r\nwith ease.\r\nPress enter or click to view image in full size\r\ntrace in x32dbg\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 12 of 16\n\ntraced log\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 13 of 16\n\nAfter some cleaning up, here’s the code logic that decrypts the payload from registry, for a taste of what we can\r\nsee after doing away with the jumper calls and junk cmp-jbs.\r\nPress enter or click to view image in full size\r\ntraced instructions for decrypting payload from registry\r\nMalware Configuration\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 14 of 16\n\nIn order to recover the configuration data, it helps to know what it looks like from older variants of ShadowPad\r\n(without the shredding obfuscation) — so that we can recognize it in memory. I used APIMonitor to look out for\r\nmemory copies, because I knew that was what ShadowPad will do with its configuration.\r\nPress enter or click to view image in full size\r\nAPIMonitor log of memcpy\r\nOne visual characteristic of the configuration data is that it will start and end with many zeroes, and it is not very\r\nlong (the part that looks like encrypted data is approx. ~400 bytes long). In this particular sample, the memory size\r\nexpected for the configuration is 2198 bytes long. This can perhaps be a helping value to look out for the memcpy\r\ncall dealing with the configuration.\r\nDecryption of the configuration data uses the exact same algorithm as what is used to decrypt the keystroke log\r\nfile. Earlier I shared the standalone python script used to decrypt the keystroke log file. Here’s the IDAPython\r\nversion to handle the configuration data in IDA:\r\nAnd here’s the decrypted configuration:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 15 of 16\n\nShadowPad configuration decrypted\r\nHmmm~ it looks like someone was testing his BEE some 3 months ago, based on that timestamp in the\r\nconfiguration.\r\nWell then, that is all I have. Come chat with me on Twitter if you have any idea how I can automate this analysis; I\r\nseem to have done most stuff in the painful way :|\r\nSource: https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nhttps://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2" ], "report_names": [ "its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434647, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f00543563e8e8be9e2099a9577db3d0a8acf5972.pdf", "text": "https://archive.orkl.eu/f00543563e8e8be9e2099a9577db3d0a8acf5972.txt", "img": "https://archive.orkl.eu/f00543563e8e8be9e2099a9577db3d0a8acf5972.jpg" } }