Home > List all groups > List all tools > List all groups using tool ShadowNet

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ShadowNet

TypeBackdoor, Info stealer, Exfiltration
Description(Citizen Lab) ShadowNet malware leverages Windows Management Instrumentation (WMI), a system tool meant for administrators. Its intended usage as a tool for collecting system information and automation makes it an ideal mechanism for gathering and exfiltrating data. The use of legitimate Windows features can make it more difficult for administrators to identify activity as malicious.

ShadowNet typically uses multi-layered C2 infrastructure that first connects to blog websites and then retrieves C2 information from encoded strings left on the blog. By using blog sites as intermediaries the attackers can maintain control of compromised machines even if a C2 is blocked by a network firewall or otherwise goes down. If a C2 needs to be updated the attackers can simply point the intermediaries to new servers.

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

All groups using tool ShadowNet


APT groups

 Shadow NetworkChina2010-2010X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key