216.73.216.133

TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

· Published 27/05/2025 23:59 · Modified 28/05/2025 13:19

Export JSON

Essential information

Published
27/05/2025 23:59
Modified
28/05/2025 13:19
Tags
2025-05-27 apt asia-pacific botnet china credentialstealer detofin irc maggie maggiescan malware miner ms-sql pemodifier shaduser sqldoor sqlshell upm wgdrop windows servers
Related entities
13 observables, 1 intrusion sets (apt), 15 techniques (mitre), 11 malware, 8 others

Description

The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the region since 2012, targeting and servers. They operate an server with over 2,000 affected IPs in 72 countries. The group uses various and tools, including , , , and . Their activities involve three stages: initial access and reconnaissance, backdoor deployment, and additional malicious behaviors. The group has connections to and has been quietly stealing information for over 13 years without demanding ransom or releasing stolen data. Their persistent activity suggests preparation for potential large-scale attacks in the future.

External references