Updated Shadowpad Malware Leads to Ransomware Deployment www.trendmicro.com/en_us/res…

In November 2024, Trend Micro had two incident response cases in Europe with similar C&C servers and other TTPs, suggesting a single threat actor behind both operations. Both incidents involved Shadowpad, a malware family that has been used by multiple advanced Chinese threat actors to perform espionage.

Hunting for similar TTPs, Trend Micro found a total of 21 companies being targeted with similar malware toolkit in the last 7 months. Nine of them in Europe, eight in Asia, three in the Middle East, and one in South America. Trend Micro found eight different industries being affected, with more than half of the targets being in the Manufacturing industry. They are listed in the Victimology section.

In two cases, the threat actor deployed a ransomware of a previously unreported family. This is an uncommon move for threat actors using Shadowpad, although it has been reported that APT41 used Encryptor RaaS. It is not known why the threat actor deployed the ransomware only for some of the targets that were found.