ShadowPad emerged in 2015 as the successor to PlugX. However, it was not until several infamous supply-chain incidents occurred – CCleaner, NetSarang and ShadowHammer – that it started to receive widespread attention in the public domain. Unlike the publicly sold PlugX, ShadowPad is privately shared among a limited set of users. Its plugin-based design and the capability of inserting plugins during runtime give it good extensibility in terms of the functionalities for its users. Whilst collecting IoCs and connecting the dots, we asked ourselves: why did it become the primary choice in those high-impact attacks? What makes it so special in the pages of Chinese espionage? What threat actors are using ShadowPad in their operations? And ultimately, how does the emergence of ShadowPad impact the wider threat landscape of Chinese espionage attacks?

To answer those questions, SentinelOne conducted a comprehensive study on the origin, the usage and the business model of ShadowPad. First, we provide a detailed overview of ShadowPad, including the technical briefing and our assessment of its business model and ecosystem. Afterwards, we will introduce at least four activity clusters where we observed ShadowPad being used. Finally, we will discuss how its emergence changes the attack strategies of some China-based threat actors and how it affects the threat landscape of Chinese espionage attacks.

Got a question about this presentation? To get in touch with the speakers, contact them on Twitter at @yj_hhhh and @joeychennoGG.