My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Study of the ShadowPad APT backdoor and its relation to PlugX

October 27, 2020


In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans. The most notable discovery was the samples of the XPath family. We were also able to find evidence that allowed us to link two initially independent incidents. In both cases, the attackers used a similar selection of malware, including the same specialized backdoors that infected domain controllers in the attacked organizations.

During the examination, analysts studied samples of PlugX multi-module backdoors used for initial penetration into the network infrastructure. The analysis showed that certain PlugX modifications used the same domain names of C&C servers, as did other backdoors related to targeted attacks on Central Asian state institutions. The detection of the PlugX programs indicates Chinese APT groups are possibly involved in these incidents.

According to our data, the unauthorized presence in both networks lasted for more than three years, and several hacker groups could be behind the attacks. Investigations of such complex cyber incidents involve long-term work, so they are rarely covered by a single article.

The Doctor Web virus laboratory received new samples of malware found on the infected computers in the local network of a state institution in Kyrgyzstan.

In addition to the malware described in the previous article, the ShadowPad backdoor deserves particular attention. Various modifications of this malware family are a well-known tool of the Winnti APT group, presumably of Chinese origin, active since at least 2012. It is noteworthy that the Farfli backdoor was also installed on computers along with ShadowPad, and both programs referred to the same C&C server. Additionally, we uncovered several PlugX modifications on the same computer.

In this study we analyzed the algorithms of the detected backdoors. Special attention is paid to the code similarities between the ShadowPad and PlugX samples, as well as to some intersections in their network infrastructure.

List of detected malware

The following backdoors were found on the infected computer:

SHA256 hashes Detection name The C&C server Installation dates
ac6938e03f2a076152ee4ce23a39a0bfcd676e4f0b031574d442b6e2df532646 BackDoor.ShadowPad.1 www[.]pneword[.]net 07.09.2018 13:14:57.664
www[.]pneword[.]net 03.11.2017 09:06:07.646
3ff98ed63e3612e56be10e0c22b26fc1069f85852ea1c0b306e4c6a8447c546a (DLL-downloader)
b8a13c2a4e09e04487309ef10e4a8825d08e2cd4112846b3ebda17e013c97339 (main module)
www[.]mongolv[.]com 29.12.2016 14:57:00.526
32e95d80f96dae768a82305be974202f1ac8fcbcb985e3543f29797396454bd1 (DLL-downloader)
b8a13c2a4e09e04487309ef10e4a8825d08e2cd4112846b3ebda17e013c97339 (main module)
www[.]arestc[.]net 23.03.2018 13:06:01.444
b8a13c2a4e09e04487309ef10e4a8825d08e2cd4112846b3ebda17e013c97339 (main module) BackDoor.PlugX.48 www[.]icefirebest[.]com 03.12.2018 14:12:24.111

For further research, we found and analyzed other samples of the ShadowPad family in order to perform a detailed examination of the similarities between the ShadowPad and PlugX backdoors:

  • BackDoor.ShadowPad.3
  • BackDoor.ShadowPad.4 — a modification of ShadowPad that was part of a self-extracting WinRAR dropper. It loaded an atypical for this family module in the form of a DLL library.

A thorough study of ShadowPad samples and their comparison with previously studied PlugX modifications indicates a high similarity in the operation principles and modular structures of the backdoors from both families. These malicious programs are united not only by the general concept, but also by the nuances of the code: certain development techniques, ideas, and technical solutions are nearly identical. An important point is that both backdoors were located in the compromised network of a state institution in Kyrgyzstan.

For a detailed description of the malware used and how it works, see the PDF-version of the study or the Dr.Web Virus Library.


The available data allow us to conclude that these families are related in terms of simple code borrowing or the development of both programs by one author or a group of authors. In the second case, it is very likely that ShadowPad is an evolution of PlugX as a newer and more advanced APT tool. The storage format of the malicious modules used in the ShadowPad makes it much more difficult to detect them in RAM.

Indicators of compromise.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments