{ "id": "6914e17d-c4b7-4d42-8556-c3b447d0cebd", "created_at": "2026-04-06T00:06:31.440283Z", "updated_at": "2026-04-10T03:25:08.983315Z", "deleted_at": null, "sha1_hash": "fd6ccd5997c47fda6e6994bc252cefca1c9c980e", "title": "TA-ShadowCricket: The 13-Year Shadow Campaign Exposed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 371781, "plain_text": "TA-ShadowCricket: The 13-Year Shadow Campaign Exposed\r\nArchived: 2026-04-05 16:17:44 UTC\r\n▶ Download Full Report\r\nBackground\r\nTA-ShadowCricket is a threat group formerly known as Shadow Force and is suspected to have ties to China. This\r\ngroup has been active for over ten years in countries across the Asia-Pacific region, including South Korea. The\r\ngroup primarily infiltrates systems by using Windows MS SQL and RDP, and installs IRC bots or backdoors for\r\ncontrol. Since December 2021, installations of virtual asset miners have also been identified on some\r\ncompromised systems.\r\nThis report is based on joint tracking of TA-ShadowCricket's activities since 2023, conducted by the National\r\nCyber Security Center (hereinafter referred to as NCSC) and AhnLab.\r\nTA-ShadowCricket\r\nThreat Group Naming\r\nAhnLab manages threat activity using its Threat Actor Classification System and Naming Convention, which\r\ncategorizes threats into four levels. Threat actors are classified as either unidentified (Larva) or identified\r\n(Arthropod).\r\nhttps://www.ahnlab.com/en/contents/content-center/35891\r\nPage 1 of 3\n\nSince November 2024, AhnLab has been analyzing the threat group's IRC server and related malware in\r\ncollaboration with the NCSC. At that time, the threat group was being tracked as the unidentified threat actor\r\nLarva-24013. It was later confirmed that they were connected to the previously known Shadow Force group.\r\nAccordingly, in line with AhnLab's classification system and naming convention, the group was newly designated\r\nas the identified threat actor TA-ShadowCricket.\r\nConclusion\r\nThe TA-ShadowCricket group has been operating out of Korea for over a decade, targeting regions across Asia.\r\nThe threat actors have maintained their legacy attack habits as they have consistently used the same malware and\r\ntool file names. Despite this, there has been limited coverage of this threat group by security firms or institutions,\r\nresulting in a continued lack of information.\r\nTA-ShadowCricket does not demand ransom post-breach, nor does it release stolen data on the dark web. Instead,\r\nthe group has quietly operated for over 13 years, persistently managing affected systems and their corresponding\r\nC2 servers across thousands of IPs. This infrastructure could potentially be leveraged for future attacks such as\r\nDDoS.\r\nVarious indicators—including the tools and developers used, primary target regions, and connections to C\u0026C\r\nservers via Chinese IPs—suggest potential links to China. However, the use of personal nicknames within the\r\nmalware and recent behaviors like installing miners raise doubts about whether this is a state-sponsored APT\r\ngroup.\r\nThis joint analysis has confirmed that TA-ShadowCricket still manages compromised systems using IRC bots.\r\nAnalysis of the IRC servers indicates that more than 2,000 bots are currently in operation. To prevent further,\r\npotentially widespread damage, it is critical to block these IRC servers and to detect, neutralize, and remove the\r\nassociated malware.\r\n▶ Download Full Report\r\nhttps://www.ahnlab.com/en/contents/content-center/35891\r\nPage 2 of 3\n\nSource: https://www.ahnlab.com/en/contents/content-center/35891\r\nhttps://www.ahnlab.com/en/contents/content-center/35891\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.ahnlab.com/en/contents/content-center/35891" ], "report_names": [ "35891" ], "threat_actors": [ { "id": "1d4e09da-fc00-4b5b-ac1a-f08813e611d4", "created_at": "2023-01-06T13:46:39.125711Z", "updated_at": "2026-04-10T02:00:03.223339Z", "deleted_at": null, "main_name": "Operation Shadow Force", "aliases": [ "TA-ShadowCricket", "Larva-24013" ], "source_name": "MISPGALAXY:Operation Shadow Force", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433991, "ts_updated_at": 1775791508, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd6ccd5997c47fda6e6994bc252cefca1c9c980e.pdf", "text": "https://archive.orkl.eu/fd6ccd5997c47fda6e6994bc252cefca1c9c980e.txt", "img": "https://archive.orkl.eu/fd6ccd5997c47fda6e6994bc252cefca1c9c980e.jpg" } }