Security News > 2021 > August > ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups
ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017.
"The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said in a detailed overview of the malware, adding "Some threat groups stopped developing their own backdoors after they gained access to ShadowPad.".
The American cybersecurity firm dubbed ShadowPad a "Masterpiece of privately sold malware in Chinese espionage."
A successor to PlugX and a modular malware platform since 2015, ShadowPad catapulted to widespread attention in the wake of supply chain incidents targeting NetSarang, CCleaner, and ASUS, leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques.
The malware functions by decrypting and loading a Root plugin in memory, which takes care of loading other embedded modules during runtime, in addition to dynamically deploying additional plugins from a remote command-and-control server, enabling adversaries to incorporate extra functionality not built into the malware by default.
Interestingly, the feature set made available to ShadowPad users is not only tightly controlled by its seller, each plugin is sold separately instead of offering a full bundle containing all of the modules, with most samples - out of about 100 - embedded with less than nine plugins.