Welcome to the VB2021 conference!

ShadowPad: the masterpiece of privately sold malware in Chinese espionage

Yi-Jhen Hsieh (SentinelOne) & Joey Chen (SentinelOne)
partner message

Do you like doing work that matters to you… and really frustrates the bad guys?


At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

We don’t just talk about sharing. We do it every day.


Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Calling all Hackers!


We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity


QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Stay ahead of threats with VirusTotal


Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Threat Intelligence and Cyber Resilience


Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions


DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Looking for performance validation for your product?


Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

VirusTotal: Actionable crowdsourced threat intelligence


Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

F5 helps find malware hiding in plain sight


Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Ransomware prevention starts with zero


Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

IoT security begins with your Smart TV


CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Amazon Information Security - come build the future with us!


Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

ShadowPad emerged in 2015 as the successor to PlugX. However, it was not until several infamous supply-chain incidents occurred – CCleaner, NetSarang and ShadowHammer – that it started to receive widespread attention in the public domain. Unlike the publicly sold PlugX, ShadowPad is privately shared among a limited set of users. Its plugin-based design and the capability of inserting plugins during runtime give it good extensibility in terms of the functionalities for its users. Whilst collecting IoCs and connecting the dots, we asked ourselves: why did it become the primary choice in those high-impact attacks? What makes it so special in the pages of Chinese espionage? What threat actors are using ShadowPad in their operations? And ultimately, how does the emergence of ShadowPad impact the wider threat landscape of Chinese espionage attacks?

To answer those questions, SentinelOne conducted a comprehensive study on the origin, the usage and the business model of ShadowPad. First, we provide a detailed overview of ShadowPad, including the technical briefing and our assessment of its business model and ecosystem. Afterwards, we will introduce at least four activity clusters where we observed ShadowPad being used. Finally, we will discuss how its emergence changes the attack strategies of some China-based threat actors and how it affects the threat landscape of Chinese espionage attacks.

Got a question about this presentation? To get in touch with the speakers, contact them on Twitter at @yj_hhhh and @joeychennoGG.
Yi-Jhen Hsieh

Yi-Jhen Hsieh is a threat intelligence researcher at SentinelOne, specializing in APAC-based espionage campaign tracking and malware analysis. Prior to joining SentinelOne, she worked as a Tier-3 analyst to support IR case analysis with additional experience in spamming botnet tracking and solution delivery.

Joey Chen

Joey Chen works as a threat intelligence researcher at SentinelOne. His major areas of research include incident response, APT investigation, malware analysis and cryptography analysis. He not only has been a speaker at several conferences but also received the 2018 Trend Micro Training Ambassador & Trainer prize. Now he focuses on the security issues of targeted attacks, emerging threats and IoT systems.