Since September 2021, up to 85 command-and-control (C2) servers have been identified as being used by the ShadowPad malware. Along with infrastructure being founded as recently as October 16, 2022.

The Threat Analysis Unit (TAU) at VMware examined three ShadowPad variants that used the TCP, UDP, and HTTP(S) protocols for C2 connections. Researchers Revealed 80 ShadowPad Malware C2 Servers.

Since 2015, several Chinese state-sponsored actors have privately released the modular malware platform known as ShadowPad, which is regarded as PlugX’s successor.

The Pangolin8RAT modular implant, which Taiwanese cybersecurity company TeamT5 revealed information about earlier this May and linked to the Tianwu threat group. The Tianwu is thought to be the replacement for the PlugX and ShadowPad malware families. Researchers Revealed 80 ShadowPad Malware C2 Servers.


The C2 servers were found by examining the list of open hosts produced by a programme called ZMap. ZMap after a study of the three ShadowPad artefacts, which were previously used by Winnti, Tonto Team. And a growing threat cluster nicknamed Space Pirates.

The business added that it had located malware samples called Spyder and ReverseWindow connecting with ShadowPad C2 IP addresses. Both of these samples are used maliciously by APT41 (also known as Winnti) and LuoYu.

Furthermore, similarities between the aforementioned Spyder sample and a Worker element of the threat actor’s Winnti 4.0 trojan have been found.

Takahiro Haruyama, the senior threat researcher at VMware TAU. It was noted that scanning APT malware C2s on the Internet occasionally like searching for a needle in a haystack. But once C2 scanning is effective, it can change the game as one of the most proactive threat detection strategies.