ShadowPad, a windows backdoor that allows attackers to download additional harmful modules or steal data. The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors. Some threat groups stopped developing their own backdoors after they gained access to ShadowPad.

Several well-known supply-chain incidents CCleaner, NetSarang, and Shadow Hammer that it began to gain considerable public attention that used ShadowPad. Unlike PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a “masterpiece of privately sold malware in Chinese espionage

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin’s chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered.

Plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn’t present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development.

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41.