As many as 85 command-and-control (C2) servers have been found supported by the ShadowPad malware since September 2021, with infrastructure detected as lately as October 16, 2022.
That’s in line with VMware’s Threat Analysis Unit (TAU), which studied three ShadowPad variants utilizing TCP, UDP, and HTTP(S) protocols for C2 communications.
ShadowPad, seen as a successor to PlugX, is a modular malware platform privately shared amongst a number of Chinese state-sponsored actors since 2015.
Taiwanese cybersecurity agency TeamT5, earlier this May, disclosed particulars of one other China-nexus modular implant named Pangolin8RAT, which is believed to be the successor of the PlugX and ShadowPad malware households, linking it to a risk group dubbed Tianwu.
An evaluation of the three ShadowPad artifacts, which have been beforehand put to make use of by Winnti, Tonto Team, and an rising risk cluster codenamed Space Pirates, made it potential to find the C2 servers by scanning the checklist of open hosts generated by a instrument known as ZMap, VMware stated.
The firm additional disclosed it recognized Spyder and ReverseWindow malware samples speaking with ShadowPad C2 IP addresses, each of that are malicious instruments put to make use of by APT41 (aka Winnti) and LuoYu.
Additionally, overlaps have been noticed between the aforementioned Spyder pattern and a Worker part of the risk actor’s Winnti 4.0 trojan.
“Scanning APT malware C2s on the Internet is usually like discovering a needle in a haystack,” Takahiro Haruyama, senior risk researcher at VMware TAU, stated. “However, as soon as the C2 scanning works, it could possibly turn into a recreation changer as one of the proactive risk detection approaches.”