Welcome to the VB2021 conference!

arrow left Back

ShadowPad: the masterpiece of privately sold malware in Chinese espionage

Yi-Jhen Hsieh (SentinelOne) & Joey Chen (SentinelOne)
ShadowPad emerged in 2015 as the successor to PlugX. However, it was not until several infamous supply-chain incidents occurred – CCleaner, NetSarang and ShadowHammer – that it started to receive widespread attention in the public domain. Unlike the publicly sold PlugX, ShadowPad is privately shared among a limited set of users. Its plugin-based design and the capability of inserting plugins during runtime give it good extensibility in terms of the functionalities for its users. Whilst collecting IoCs and connecting the dots, we asked ourselves: why did it become the primary choice in those high-impact attacks? What makes it so special in the pages of Chinese espionage? What threat actors are using ShadowPad in their operations? And ultimately, how does the emergence of ShadowPad impact the wider threat landscape of Chinese espionage attacks?

To answer those questions, SentinelOne conducted a comprehensive study on the origin, the usage and the business model of ShadowPad. First, we provide a detailed overview of ShadowPad, including the technical briefing and our assessment of its business model and ecosystem. Afterwards, we will introduce at least four activity clusters where we observed ShadowPad being used. Finally, we will discuss how its emergence changes the attack strategies of some China-based threat actors and how it affects the threat landscape of Chinese espionage attacks.
Yi-Jhen Hsieh
SentinelOne

Yi-Jhen Hsieh is a threat intelligence researcher at SentinelOne, specializing in APAC-based espionage campaign tracking and malware analysis. Prior to joining SentinelOne, she worked as a Tier-3 analyst to support IR case analysis with additional experience in spamming botnet tracking and solution delivery.

Joey Chen
SentinelOne

Joey Chen works as a threat intelligence researcher at SentinelOne. His major areas of research include incident response, APT investigation, malware analysis and cryptography analysis. He not only has been a speaker at several conferences but also received the 2018 Trend Micro Training Ambassador & Trainer prize. Now he focuses on the security issues of targeted attacks, emerging threats and IoT systems.