NetSarang server tools shipped ShadowPad backdoor

In August 2017, Kaspersky traced suspicious DNS traffic inside a financial institution to NetSarang server-management software. The affected products were legitimate, signed NetSarang builds. The compromise lived inside software used by administrators, on machines with useful access.

The malicious code was embedded in nssock2.dll, a library loaded by the NetSarang tools. It was compiled on July 13, 2017 and signed with a legitimate NetSarang certificate. Public guidance later bounded distribution to NetSarang's website and in-application update utilities between July 18 and August 4, 2017.

ShadowPad stayed quiet until activated. The first layer sent host, domain, and user details every eight hours, then waited for a specially crafted DNS TXT record for a month-derived domain such as nylalobghyhirgh.com. A returned key decrypted the next stage. The packet marker decoded to DOOR.

Once active, the backdoor could upload files, create processes, download and execute attacker code, and keep an encrypted virtual file system in the registry. NetSarang removed the affected packages after notification and issued clean builds. The lesson was direct: a signed admin tool can become a patient access broker.

Motive

Espionage

Attribution

Group

Cause

Build System Compromise

Transitive

No

Actor

Unknown Chinese-speaking actor

User Impact

10000

• Locationmirror: securelist.com/shadowpad-in-corporate-networks/79953
• Locationmirror: securelist.com/shadowpad-in-corporate-networks/81432
• Locationmirror: virustotal.com/gui/file/db67eaef6a31d392a0240a92494c9058d864f3fc7be5b42767e5c978c690023c
• Locationmirror: github.com/malware-research/samples/tree/main/shadowpad
• filenssock2.dll
• file_md5nssock2.dll 97363d50a279492fda14cbab53429e75
• file_md5clean nssock2.dll ef0af7231360967c08efbdd2a94f9808
• file_sha256ShadowPad sample db67eaef6a31d392a0240a92494c9058d864f3fc7be5b42767e5c978c690023c
• file_sha256ShadowPad sample 5554bf896a8f77a2f12df4af39e7baeebb411953d4158249b87688f9c8d35ba5
• malwareShadowPad
• detectionBackdoor.Win32.Shadowpad.a
• cveCVE-2017-20203
• cveCVE-2025-34252
• cweCWE-506
• domainribotqtonut.com
• domainnylalobghyhirgh.com
• domainjkvmdmjyfcvkf.com
• domainbafyvoruzgjitwr.com
• domainxmponmzmxkxkh.com
• domaintczafklirkl.com
• domainnotped.com
• domaindnsgogle.com
• domainoperatingbox.com
• domainpaniesx.com
• domaintechniciantext.com
• markerDOOR
• certificate_serial53 0C E1 4C 81 F3 62 10 A1 68 2A FF 17 9E 25 80
• observableDNS TXT activation record unlocked the encrypted second-stage payload.
• observablePayload could store an encrypted virtual file system in the Windows registry.

• Creepy backdoor found in NetSarang server management softwaretheregister.com
• Recovering from nssock2.dll by Supportnetsarang.atlassian.net
• NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain malicious nssock2.dllgithub.com
• ShadowPad attack sabotaged NetSarang software with backdoorscworld.com
• ShadowPad: How Attackers Hide Backdoor in Software Used by Hundreds of Large Companies Around the Worldkaspersky.com
• Software Compromised with Backdoor Trojancyber.gc.ca
• NetSarang v5.0 Malicious Backdoor Supply Chain Compromisevulncheck.com