Updated on 2022-10-30: ShadowPad C2 servers
In a report last week, the VMware security team said they found more than 80 command and control servers for ShadowPad, a backdoor trojan typically used in intrusions by Chinese state-sponsored hacking groups. VMware said it identified the servers after it analyzed the ShadowPad command and control protocol for new ways to fingerprint the malware’s network traffic. Read more: Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)
Overview: ShadowPad intrusion
NCC Group researchers have a write-up on a Chinese APT intrusion that began with the exploitation of a WSO2 device via CVE-2022-29464 and ended with the deployment of the ShadowPad backdoor and data exfil. Read more: A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion