^[4]

ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.^[3]

ShadowPad has used FTP for C2 communications.^[3]

ShadowPad has used DNS tunneling for C2 communications.^[3]

ShadowPad has encoded data as readable Latin characters.^[2]

ShadowPad has decrypted a binary blob to start execution.^[3]

ShadowPad uses a DGA that is based on the day of the month for C2 servers.^[2][3][4]

ShadowPad has deleted arbitrary Registry values.^[3]

ShadowPad has downloaded code from a C2 server.^[2]

ShadowPad has discovered system information including volume serial numbers.^[3]

ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.^[3][5]

ShadowPad has used UDP for C2 communications.^[3]

ShadowPad has encrypted its payload, a virtual file system, and various files.^[2][5]

ShadowPad maintains a configuration block and virtual file system in the Registry.^[3][5]

ShadowPad has collected the PID of a malicious process.^[3]

ShadowPad has injected an install module into a newly created process.^[3]

ShadowPad has injected a DLL into svchost.exe.^[3]

ShadowPad has sent data back to C2 every 8 hours.^[2]

ShadowPad has discovered system information including memory status, CPU frequency, and OS versions.^[3]

ShadowPad has collected the domain name of the victim system.^[3]

ShadowPad has collected the username of the victim system.^[3]

ShadowPad has collected the current date and time of the victim system.^[3]

^[6][7]

RedEcho has usedShadowPad during intrusions.^[8][9]

^[1]

^[10]

^[4][1]

Aquatic Panda usedShadowPad as a remote access tool to victim environments.^[11]

^[5]

^[1]

Indian Critical Infrastructure Intrusions included the use ofShadowPad malware for operations.^[9][12]

Mustang Panda used similar installation techniques with DLL sideloading to installShadowPad duringRedDelta Modified PlugX Infection Chain Operations.^[7]