#CheckPoint Research revealed a sophisticated wave of attacks attributed to the Chinese #threat actor #InkDragon, which targets European governments while continuing campaigns in Southeast Asia and South America. The threat actor converts compromised #IIS servers into relay nodes with #ShadowPad, exploits predictable configuration keys for access, and deploys a new #FinalDraft #backdoor for exfiltration and lateral movement.

https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
#InkDragon #ShadowPad #CDBLoader #LalsDumper #FINALDRAFT
https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

📰 ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

🔥 CRITICAL: Chinese APTs are actively exploiting a WSUS RCE vulnerability (CVE-2025-59287) to deploy the ShadowPad backdoor. Attackers gain SYSTEM access for espionage. Patching is urgent! #ThreatIntel #CVE #ShadowPad #CyberAttack

🔗 https://cyber.netsecops.io/articles/shadowpad-backdoor-deployed-exploiting-windows-server-vulnerability/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)
#CVE_2025_59287 #ShadowPad
https://asec.ahnlab.com/en/91166/

Attackers deliver #ShadowPad via newly patched #WSUS RCE bug
https://securityaffairs.com/185007/malware/attackers-deliver-shadowpad-via-newly-patched-wsus-rce-bug.html
#securityaffairs #hacking #malware

Threat actors are actively exploiting CVE-2025-59287 in WSUS to deploy ShadowPad.

ASEC notes the attackers used PowerCat for shell access, then fetched and installed ShadowPad with certutil/curl, executing it through DLL side-loading.

How are you securing WSUS or other update infrastructure in your environment?
💬 Share your insights
⭐ Follow TechNadu for timely threat intel

#infosec #WSUS #ShadowPad #CVE2025 #malware #threatintel #sysadmin #DFIR #TechNadu

ToolShell Used to Compromise Telecoms Company in Middle East
#CVE_2025_53770 #Zingdoor #KRUSTYLOADER #ShadowPad #CVE_2021_36942
https://www.security.com/threat-intelligence/toolshell-china-zingdoor

Good day everyone!

This is a really interesting read from SentinelOne Labs . Back in October 2024 they dealt with a reconnaissance operation that was related to the activity cluster tracked as #PurpleHaze and then in 2025 "they helped disrupt an intrusion linked to a wider #ShadowPad operation". The activity was attributed to China-nexus threat actors.

The article gives an in-depth view of what it looks like when an organization that is responsible for "IT services and logistics" gets compromised, which we could call a supply-chain attack. The article also provides a TON of technical details about tools and infrastructure that was used, indicators of compromise to scan for in your environment, and behaviors and commands that were observed throughout. This one may take a while to read but its worth it! Thanks to the researchers Dr Aleksandar Milenkoski and Tom Hegel for this report! I hope you all enjoy it as much as I did. Happy Hunting!

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs
#SentinelOne discovered the campaign when they tried to hit the #security vendor's own servers
In their report, they describe a series of intrusions between July 2024 and March 2025 involving #ShadowPad #malware and post-exploitation espionage activity that SentinelOne has dubbed "#PurpleHaze", publicly reported as #APT15 and #UNC5174, And they're blaming #China.
https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelone/

⚠️ Chinese hackers hit governments, media, and cybersecurity firms in a global cyber espionage spree. Over 70 orgs targeted using tools like ShadowPad and PurpleHaze.

Read: https://hackread.com/chinese-linked-hackers-targeted-global-organizations/

#CyberSecurity #China #CyberAttack #PurpleHaze #ShadowPad #APT15

State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure
#Gamaredon #RedFoxtrot #ShadowPad
https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad

Famous Sparrow APT Group: Enhanced Cyber Arsenal and Global Threats

https://thedefendopsdiaries.com/famous-sparrow-apt-group-enhanced-cyber-arsenal-and-global-threats/

#famoussparrow
#aptgroup
#cyberespionage
#shadowpad
#cybersecurity

In July 2024, #ESETresearch discovered that the China-aligned #FamousSparrow APT group, thought at the time to have been inactive since 2022, compromised the network of a US trade group and a Mexican research institute. https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
While helping the 🇺🇸 company remediate the compromise, we discovered FamousSparrow’s toolset hidden within the network. It included two previously undocumented versions of the group’s flagship backdoor, #SparrowDoor, one of them modular.
Both of these versions are a significant improvement over the older ones, especially in terms of code quality and architecture, implementing parallelization of time-consuming commands.
This campaign is also the first documented time that FamousSparrow used #ShadowPad, a privately sold modular backdoor known to only be supplied to threat actors affiliated with China.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/famoussparrow

For incident responders investigating Shadowpad cases, remember to retrieve the volume serial number where #Shadowpad was deployed. The first time the malware is run, it will delete the encoded payload file (<random name>.tmp), and encrypt it in the Windows registry using the volume serial number. Those can also be found in LNK and Prefetch files in case you don't have live access to the host anymore.
You can then use the VolumeID tool from Sysinternals to change the volume serial number of your virtual machine
https://learn.microsoft.com/en-us/sysinternals/downloads/volumeid

We released a report on an updated version of #Shadowpad including anti-debugging features and new configuration structure, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
#APT
Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker" https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker.
This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳.

➡️The full article on the Green Nailao cluster is available here: https://orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

➡️IOCs and Yara can be found on our GitHub: https://github.com/cert-orangecyberdefense/cti/tree/main/green_nailao

DeepSec 2024 Talk: The Malicious Bloodline Inheritance: Dissecting Deed RAT and Blood Alchemy – You Nakatsuru, Kiyotaka Tamada & Suguru Ishimaru

ShadowPad is a particularly notorious malware family used in Advanced Persistent Threat (APT)

https://blog.deepsec.net/deepsec-2024-talk-the-malicious-bloodline-inheritance-dissecting-deed-rat-and-blood-alchemy-you-nakatsuru-kiyotaka-tamada-suguru-ishimaru/

#Conference #BloodAlchemy #DeedRAT #DeepSec2024 #MalwareAnalysis #ShadowPad #Talk

🚨 ALERT: BLOODALCHEMY #malware, an updated version of Deed RAT and successor to #ShadowPad, targets government organizations in Southern and Southeastern Asia.

https://thehackernews.com/2024/05/japanese-experts-warn-of-bloodalchemy.html

#cybersecurity #infosec #hacking

Recorded Future publishes a 24 page report on i-SOON and their connections to offensive cyberespionage operations attributed to RedHotel, RedAlpha and POISON CARP. The links indicate that they are likely sub-teams focused on specific missions within the same company. i-SOON's victims span 22 countries, with government, telco and education being the most targeted sectors. i-SOON also supports domestic including the targeting of ethnic and religious minorities and the online gambling industry. i-SOON very likely uses and sells access to custom malware families like Winnti and ShadowPad. IOC provided. 🔗 https://www.recordedfuture.com/attributing-i-soon-private-contractor-linked-chinese-state-sponsored-groups

#ISOON #cyberespionage #China #APT #threatintel #IOC #redhotel #redalpha #poisoncarp #winnti #shadowpad

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://trendmicro.com/en_us/research/24/c/earth-krahang.html
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware.
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.