A recent report has disclosed that ShadowPad backdoor malware has been actively used by different Chinese espionage groups since 2017. It is a well-known Windows backdoor that downloads malicious modules or steals data. 

Why the high demand

At least five Chinese actors have used ShadowPad malware in their espionage activities namely APT41, Tick & Tonto Team, Operation Redbonus, Operation Redkanku, and Fishmonger.
  • Using ShadowPad greatly reduces the development and maintenance cost for the attackers.
  • It is a privately sold modular malware platform whose plugins are offered separately.
  • It allows its users to remotely deploy new plugins to a backdoor. It is speculated that anyone who can produce a plugin with the correct format can add new features to the backdoor freely.
  • Moreover, malware developers keep adding new anti-detection features and persistence techniques to it.

A background check

  • An individual ‘whg’ and his affiliate known as ‘Rose’ are the suspected authors of this malware platform. Further, both of them have been commercializing their malware development and hacking skills.
  • It was used as the main backdoor in various cyberespionage campaigns, such as the NetSarang, CCleaner, and ASUS supply-chain attacks.
  • Besides, the ShadowPad malware platform is traded privately to a limited group of customers.


ShadowPad is a well-developed malware platform that is still under regular development, making it a serious threat. Additionally, the availability of such advanced malware as a commodity will empower and motivate novice hackers to soon leap into action immediately.

Cyware Publisher