Since September 2021, up to 85 command-and-control (C2) servers have been identified as being used by the ShadowPad malware, with infrastructure being found as recently as October 16, 2022.
The Threat Analysis Unit (TAU) at VMware examined three ShadowPad variants that used the TCP, UDP, and HTTP(S) protocols for C2 connections. Since 2015, several Chinese state-sponsored actors have privately released the modular malware platform known as ShadowPad, which is regarded as PlugX’s successor. Read More…