Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

Shadowpad, PlugX, China Chopper, Stowaway RAT

Avatar photoByDetecteam 2023-12-072023-12-07

TLP

TLP CLEAR

Author

David Deflache, Sebastien Tricaud

Summary

This week, we share data from another attack being exploited.

In mid-Autumn 2021, Kaspersky experts uncovered a ShadowPad malware campaign targeting a national telecom company in Pakistan. The attack, presumed to have begun in winter 2021, exploited MS Exchange vulnerability (CVE-2021-26855) to install a Cobalt Strike backdoor. ICS engineers’ computers and automation systems were compromised, with a persistent presence for at least 11 months. The attackers utilized a Web Shell in the victim’s mail server, employing DLL Side-Loading (T1574.002) characteristic of Asian APT groups. ShadowPad samples were also found in Afghanistan and a Malaysian transportation company, suggesting a broad geographic scope. The likely motive is cyberespionage for critical data.

TIMELINE

DATA

We are providing data for attacks weekly hoping to contribute raising awareness to threats as we believe threats are best understood with their data footprint.

cs_filesDownload

CATEGORY

Malware

references

  • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf

TAGS

Post Tags: #T1005 - Data from Local Syste#T1016 - System Network Configuration Discovery#T1018 - Remote System Discovery#T1027 - Obfuscated Files or Information#T1033 - System Owner/User Discovery#T1049 - System Network Connections Discovery#T1053.005 - Scheduled Task/Job: Scheduled Task#T1055.012 - Process Hollowing#T1059.001 - Command and Scripting Interpreter: PowerShell#T1059.003 - Windows Command Shell#T1078 - Valid Accounts#T1105 - Ingress Tool Transfer#T1190 - Exploit Public-Facing Application#T1197 - BITS Jobs#T1543.003 - Create or Modify System Process: Windows Service#T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription#T1574.002 - DLL Side-Loading
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search