ShadowPad is a modular backdoor that was first identified in a Software Supply Chain Compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. 
The ShadowPad backdoor was planted in NetSarang's software, a server management software product based in the U.S. and South Korea and used by large businesses around the world. When activated, the backdoor allows attackers to download further malicious modules or steal data.
A slight change was made to a one of NetSarang's dynamic link libraries (dll) files, which was then signed with a legitimate NetSarang certificate, implying that the the attackers modified the source code or patched software on the build servers.
Associated Software Descriptions
|Enterprise||VT0004||.002||Supply Chain Compromise: Compromise Software Supply Chain||
ShadowPad backdoor was inserted into a dynamic link library (dll) file of NetSarang, a server management software and delivered to NetSarang's users in a Software Supply Chain Compromise.
Threat actors That Use This Tools
APT41 is reported to be behind the infamous modular backdoor ShadowPad, which was first discovered in the Software Supply Chain Compromise of Netsarang software.
Created: 06 May 2021
Last Modified: 06 May 2021