ShadowPad is a RAT (Remote Access Trojan) that being used frequently by several Chinese state-sponsored Threat actors. The activity using ShadowPad is also linked to the MSS (Chinese Ministry of State Security) and the People’s Liberation Army (PLA). It is mostly a two-file execution malware; a DLL loader containing a ShadowPad payload embedded in it. Threat actors using ShadowPad are targeting South Korea, India, Japan, Ukraine, Russia, and Mongolia. One such group is TAG-38 which has recently targeted Indian power grid assets.
Observed timeline of ShadowPad execution, service creation, and payload injection on a compromised network.