S0596: ShadowPad
Analyst context for executives and security teams
ShadowPad matters because ATT&CK describes it as a modular Windows backdoor first identified through a NetSarang software supply chain compromise and later associated with multiple China-linked activity sets and campaigns. For leaders, the decision value is not just “malware exists”; it is whether the organization can detect a stealthy, modular backdoor that may arrive through trusted software channels, perform host and network discovery, communicate over common protocols such as web, file transfer, DNS, or other network protocols, and obscure or remove evidence.
Executive priority
Prioritize ShadowPad as a resilience and assurance scenario for Windows environments, third-party software trust, and critical-service operations. The relationship context includes campaigns and groups tied to critical infrastructure, government, telecom, technology, healthcare, transportation, finance, education, and other sectors, but local risk should be based on your exposure, geography, vendors, and threat model. Executives should ask: do we have evidence for supply chain software integrity, Windows endpoint visibility, network egress governance, DNS/web traffic monitoring, and incident response ability to investigate a modular backdoor without relying on a single indicator?
Technical view
ATT&CK provides no official detection text for ShadowPad, so defenders should validate coverage through the mapped behaviors. On Windows, confirm visibility for process injection and DLL injection, obfuscated files or information, fileless storage locations such as registry/WMI-style persistence or storage patterns where applicable, process/user/system/network discovery, scheduled transfer behavior, indicator removal, and C2 over web protocols, file transfer protocols, DNS, and non-application-layer protocols. Use the campaign and group relationships as threat-intelligence context, not as proof of local compromise or attribution.
Likely telemetry
- Windows endpoint process creation and parent-child process telemetry
- DLL load and process injection-related endpoint events
- File, registry, WMI, and other non-file storage or configuration change telemetry where available
- Command-line, script, and administrative utility execution logs for discovery activity
- DNS query and response logs
Detection direction
- Because MITRE does not provide a ShadowPad-specific detection recommendation, build behavior-based detections around the related techniques rather than relying only on hashes or names.
- Tune for unusual Windows processes performing discovery of users, system information, network configuration, and running processes, especially when followed by outbound communications.
- Validate analytic coverage for DLL/process injection and suspicious module loading, with allowlisting for legitimate security tools, software updaters, and enterprise management agents to reduce false positives.
- Review DNS, web, file transfer, and non-application-layer egress for rare destinations, unusual timing, beacon-like patterns, or hosts that do not normally communicate externally.
- Assess whether logging survives or reveals attempted indicator removal; absence of expected logs can itself become an investigation lead when correlated with endpoint activity.
Mitigation priorities
- Strengthen third-party software and update-channel governance, including inventory, source validation, and rapid containment plans for trusted software compromise scenarios.
- Ensure Windows endpoint detection and response coverage is deployed on high-value systems and configured to capture process, module, file, registry, and network activity needed for backdoor investigations.
- Apply least-privilege and segmentation so a compromised Windows host has limited ability to discover sensitive systems or communicate broadly outbound.
- Restrict and monitor unnecessary outbound DNS, web, file transfer, and other network protocols; require controlled egress paths where operationally feasible.
- Maintain centralized, tamper-resistant logging and tested incident response playbooks for suspected backdoor activity, including memory, endpoint, and network triage.
Analyst notes and limits
ShadowPad is described by ATT&CK as a modular backdoor first identified in the 2017 NetSarang supply chain compromise. ATT&CK relationships connect it to multiple groups and campaigns, including Indian Critical Infrastructure Intrusions, RedDelta Modified PlugX Infection Chain Operations, APT41, Mustang Panda, RedEcho, and others. The object’s platform is Windows, while several related techniques have broader platform listings; this take treats ShadowPad coverage as a Windows-focused validation exercise.
The supplied ATT&CK object has no official detection text, no aliases, and no object-level tactics specified. Relationship descriptions are partially truncated, and external reporting is referenced but not expanded beyond the supplied fields. Local telemetry, software inventory, geography, sector, and incident evidence are required before making exposure, compromise, or attribution judgments.
ShadowPad
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | ShadowPad has collected the username of the victim system.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1112 | Modify Registry | ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.CitationKaspersky ShadowPad Aug 2017CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1124 | System Time Discovery | ShadowPad has collected the current date and time of the victim system.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1070 | Indicator Removal | ShadowPad has deleted arbitrary Registry values.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ShadowPad has decrypted a binary blob to start execution.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | ShadowPad maintains a configuration block and virtual file system in the Registry.CitationKaspersky ShadowPad Aug 2017CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | ShadowPad has collected the domain name of the victim system.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1029 | Scheduled Transfer | ShadowPad has sent data back to C2 every 8 hours.CitationSecurelist ShadowPad Aug 2017 |
| Enterprise | T1057 | Process Discovery | ShadowPad has collected the PID of a malicious process.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1071.004 | DNS Sub-technique | ShadowPad has used DNS tunneling for C2 communications.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | ShadowPad has encoded data as readable Latin characters.CitationSecurelist ShadowPad Aug 2017 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | ShadowPad has used FTP for C2 communications.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1095 | Non-Application Layer Protocol | ShadowPad has used UDP for C2 communications.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | ShadowPad has encrypted its payload, a virtual file system, and various files.CitationSecurelist ShadowPad Aug 2017CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1055 | Process Injection | ShadowPad has injected an install module into a newly created process.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1082 | System Information Discovery | ShadowPad has discovered system information including memory status, CPU frequency, and OS versions.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1680 | Local Storage Discovery | ShadowPad has discovered system information including volume serial numbers.CitationKaspersky ShadowPad Aug 2017 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | ShadowPad uses a DGA that is based on the day of the month for C2 servers.CitationSecurelist ShadowPad Aug 2017CitationKaspersky ShadowPad Aug 2017CitationFireEye APT41 Aug 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | ShadowPad has downloaded code from a C2 server.CitationSecurelist ShadowPad Aug 2017 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | ShadowPad has injected a DLL into svchost.exe.CitationKaspersky ShadowPad Aug 2017 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
G1042: RedEcho
G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
G0131: Tonto Team
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
G1006: Earth Lusca
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]
Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
C0047: RedDelta Modified PlugX Infection Chain Operations
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.[1]
C0043: Indian Critical Infrastructure Intrusions
Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | d8ce46c5a7bb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Recorded Future RedEcho Feb 2021
Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
Open source URL -
[2]
Securelist ShadowPad Aug 2017
GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
Open source URL -
[3]
Kaspersky ShadowPad Aug 2017
Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
Open source URL -
[4]
FireEye APT41 Aug 2019
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Open source URL -
[5]
POISONPLUG.SHADOW
(Citation: FireEye APT41 Aug 2019)
-
[6]
mitre-attack S0596Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.