As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected recently.
The Threat Analysis Unit (TAU) at VMware examined three ShadowPad variants that used the TCP, UDP, and HTTP(S) protocols for C2 communications. Since 2015, several Chinese state-sponsored actors have privately shared the modular malware platform known as ShadowPad, which is regarded as PlugX’s successor. The business added that it had located malware samples called Spyder and ReverseWindow communicating with ShadowPad C2 IP addresses. Both of these samples are used maliciously by APT41 (also known as Winnti) and LuoYu.
Furthermore, similarities between the aforementioned Spyder sample and a Worker element of the threat actor’s Winnti 4.0 Trojan have been found.