Heimdal
article featured image

Contents:

On Monday, Microsoft attributed a China-based cyberespionage actor to a set of attacks targeting diplomatic entities in South America. Its Security Intelligence team is tracking the cluster under the emerging name DEV-0147.

ShadowPad is said to be used by the threat actor to infiltrate targets and maintain persistent access. Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People’s Liberation Army (PLA) have widely used ShadowPad, also known as PoisonPlug, as a successor to PlugX remote access trojan.

DEV-0147 also uses a webpack loader called QuasarLoader, which enables additional payloads to be deployed on compromised hosts.

The method DEV-0147 might use to gain initial access to a target environment was not disclosed. However, phishing and opportunistic targeting of unpatched applications are the most likely options.

In recent months, ShadowPad has been used by more than one China-based advanced persistent threat (APT).

NCC Group discovered details of an attack targeting an unnamed organization in September 2022 that exploited a critical vulnerability in WSO2 (CVE-2022-29464, CVSS score: 9.8) to deliver ShadowPad for intelligence gathering.

An ASEAN member foreign ministry was also attacked with ShadowPad by an unidentified threat actor exploiting a vulnerable Microsoft Exchange Server. According to THN, the activity, dubbed REF2924 by Elastic Security Labs, shares tactical associations with Winnti (aka APT41) and ChamelGang.

Although ShadowPad has been well-documented over the years, Chinese hacking groups continue to use it, which might lead to the conclusion that it is quite a successful technique.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE