ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new Logdatter info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.
The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.
Researchers from Broadcoms Softwares Symantec Threat Hunter team observed the
ShadowPad
-related threat group using the tactic in a cyber-espionage campaign. The groups targets have so far included a prime ministers office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendors analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.
The use of
legitimate applications to facilitate DLL sideloading
appears to be a growing trend among espionage actors operating in the region, Symantec said in a report this week. Its an attractive tactic because anti-malware tools often dont spot the malicious activity because attackers used old applications for side loading.
Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous. says Alan Neville, threat intelligence analyst with Symantecs threat hunter team.
The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.
Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. The technique is mostly used by attackers focusing on Asian organizations, he adds.
Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for
executing programs on remote systems
to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.
[The programs] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network, Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.
They used quite an array of software, including security software, graphics software, and Web browsers, he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.
One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.
Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.
Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are
known to have launched supply chain attacks
in the past, Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.
To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications.
Wed also recommend taking immediate action to clean machines that exhibit any indicators of compromise, Neville advises, ... including cycling credentials and following your own organizations internal process to perform a thorough investigation.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools