Updated Shadowpad Malware Leads to Ransomware Deployment

    Friday, February 21, 2025 In: Threat Research Print

    Date: 02/21/2025

    Severity: High

    Summary

    "Updated Shadowpad Malware Leads to Ransomware Deployment" reports on a series of incidents involving the Shadowpad malware, attributed to a Chinese threat actor. Over seven months, 21 companies across multiple regions, particularly in manufacturing, were targeted with similar tactics and techniques. In some cases, the actor deployed a previously unreported ransomware, an unusual tactic for Shadowpad campaigns, though APT41 has been known to use Encryptor RaaS. The reason behind the selective ransomware deployment remains unclear.

    Indicators of Compromise (IOC) List

    URL/Domain

    updata.dsqurey.com

    time.dsqurey.com

    dscriy.chtq.net

    system.chtq.net

    updata.chtq.net

    network.oossafe.com

    notes.oossafe.com

    caba.superdasqe.me

    ccs.superdasqe.me

    czs.superdasqe.me

    kzb.superdasqe.me

    Hash

    8d44f2f442ca8f2fbbf75086a6f8d518c300ca93fe9957a9716076919b475865

83c1a668ab06f55e6879593ca24eed9f78832be97ac90bb74ef5828067f2d900

c19be7a006bd2ba8deb56dcc6127a76f9624c6f1392a1794870dbed6f1a81bd5

c4db25ab55af2e943a297a5ecf7a62acc3ad8897ec8ba4ab3226a138da237b82

28e6362ecf033b2a26c7457dcbd7ad2ab34e253fb08666d39073391a1254ea41

7416f6b69b34b3a36a86e50808e1dc47f4dc665bfd6f394cef65e0ba5eaf961b

bc490047fe6e0b0000c6cd147d3cf483105c92cf00450bfe35ac70f276a9e5c8

c5f8a256d0969e253633160b9728b6c2bc044f536e92af178a05a598aaa09c1f

a2bb321d41b2300e80f9400950fa2125470d5b3927933ab4d6397f0cbf81532a

d74b6b2129936377aaccc619bcfd4df4ffbe2f35f960a4b043b23ae78a31ec35

366ea3377eaefa28b655b530710c03fb2ace67bb531b1820e916cb02023892ba

f8915c5be0649642dac22572355f1462972f5087471f66f6a243f2374b208eb8

b38dab1ee402f731313d697d5d79372ae97fcab5704077771b5b82e705e0cd6d

625ed0e0ad7d3fbf2738349c767a7990c9f0d388de66104e11df3e0c4632033c

431a630983cd327fc70ea49b3a5497a179dbde19d8f13d2cfceef4e47613024b

e1d72b0cfc3342b8a6436e3047c3cc54246c346ac179e459d07620d192ba6e01

fa7f2ddf91980d639a87465bd2a38eaa44d6079b11ace3b2b3dff03caed66de5

b28bc39e569aa0cfe984c341830cb037c5305877ba22a940c3bdaeb43ca87878

571607c7f55c3616e4c58db15e3d55317da10294dbc10e0cd1ed24879b8fc051

bc5b2ef81593095696433877cccb0ab75ef942258ef4795de5538df842d952f4

fa3a3351cd55089d40a7311e4bfaf15e4247416f78383d94ad58809467429b3e

2df4c7bfa608ca88d9d659358894226910850ac0d7e566c6c10ec2727361d47b

b66660dfe1ce69f706aaa412fcd3ff18554d604df59c09adc2a8117417967ce9

7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3

de4bb30e400f081601d4091206ba6c04ac502f50e0dbac879db8c0202bff8108

5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035

37039a761114251f4556e4fe41c3ec01b7206a483c4698ffe5a0f1617a8bc26b

fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4

ceac8b67f19d596b2c2f34d682f88c717d11dd4c1144e2e7439b6bb78adb1736

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "ccs.superdasqe.me" or url like "ccs.superdasqe.me" or userdomainname like "updata.dsqurey.com" or url like "updata.dsqurey.com" or userdomainname like "network.oossafe.com" or url like "network.oossafe.com" or userdomainname like "kzb.superdasqe.me" or url like "kzb.superdasqe.me" or userdomainname like "time.dsqurey.com" or url like "time.dsqurey.com" or userdomainname like "czs.superdasqe.me" or url like "czs.superdasqe.me" or userdomainname like "caba.superdasqe.me" or url like "caba.superdasqe.me" or userdomainname like "dscriy.chtq.net" or url like "dscriy.chtq.net" or userdomainname like "updata.chtq.net" or url like "updata.chtq.net" or userdomainname like "system.chtq.net" or url like "system.chtq.net" or userdomainname like "notes.oossafe.com" or url like "notes.oossafe.com"

    Detection Query 2

    sha256hash IN ("ceac8b67f19d596b2c2f34d682f88c717d11dd4c1144e2e7439b6bb78adb1736","fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4","5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035","a2bb321d41b2300e80f9400950fa2125470d5b3927933ab4d6397f0cbf81532a","37039a761114251f4556e4fe41c3ec01b7206a483c4698ffe5a0f1617a8bc26b","c19be7a006bd2ba8deb56dcc6127a76f9624c6f1392a1794870dbed6f1a81bd5","b66660dfe1ce69f706aaa412fcd3ff18554d604df59c09adc2a8117417967ce9","8d44f2f442ca8f2fbbf75086a6f8d518c300ca93fe9957a9716076919b475865","83c1a668ab06f55e6879593ca24eed9f78832be97ac90bb74ef5828067f2d900","c4db25ab55af2e943a297a5ecf7a62acc3ad8897ec8ba4ab3226a138da237b82","28e6362ecf033b2a26c7457dcbd7ad2ab34e253fb08666d39073391a1254ea41","7416f6b69b34b3a36a86e50808e1dc47f4dc665bfd6f394cef65e0ba5eaf961b","bc490047fe6e0b0000c6cd147d3cf483105c92cf00450bfe35ac70f276a9e5c8","c5f8a256d0969e253633160b9728b6c2bc044f536e92af178a05a598aaa09c1f","d74b6b2129936377aaccc619bcfd4df4ffbe2f35f960a4b043b23ae78a31ec35","366ea3377eaefa28b655b530710c03fb2ace67bb531b1820e916cb02023892ba","f8915c5be0649642dac22572355f1462972f5087471f66f6a243f2374b208eb8","b38dab1ee402f731313d697d5d79372ae97fcab5704077771b5b82e705e0cd6d","625ed0e0ad7d3fbf2738349c767a7990c9f0d388de66104e11df3e0c4632033c","431a630983cd327fc70ea49b3a5497a179dbde19d8f13d2cfceef4e47613024b","e1d72b0cfc3342b8a6436e3047c3cc54246c346ac179e459d07620d192ba6e01","fa7f2ddf91980d639a87465bd2a38eaa44d6079b11ace3b2b3dff03caed66de5","b28bc39e569aa0cfe984c341830cb037c5305877ba22a940c3bdaeb43ca87878","571607c7f55c3616e4c58db15e3d55317da10294dbc10e0cd1ed24879b8fc051","bc5b2ef81593095696433877cccb0ab75ef942258ef4795de5538df842d952f4","fa3a3351cd55089d40a7311e4bfaf15e4247416f78383d94ad58809467429b3e","2df4c7bfa608ca88d9d659358894226910850ac0d7e566c6c10ec2727361d47b","7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3","de4bb30e400f081601d4091206ba6c04ac502f50e0dbac879db8c0202bff8108")

    Reference:

    https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html


    Tags

    MalwareRansomwareAPTThreat ActorsCritical Manufacturing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.