Updated Shadowpad Malware Leads to Ransomware Deployment
Essential information
- Published
- 20/02/2025 10:44
- Modified
- 21/02/2025 14:59
- Tags
- 2025-02-20 anti-debugging cqhashdumpv2 dns over https impacket intellectual property theft manufacturing multi-factor authentication bypass plugx ransomware remote network attacks shadowpad
- Related entities
- 19 techniques (mitre), 9 malware, 9 others
Description
A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication. The Shadowpad malware showed enhancements in anti-debugging techniques and encryption methods. Unusually, a previously unreported ransomware was deployed in some cases, mimicking the appearance of Kodex Evil Extractor but with different functionality. The attackers also used tools like CQHashDumpv2 and Impacket for post-exploitation activities. While attribution remains uncertain, there are weak links to the Teleboyi threat actor.