Chinese hackers are leveraging a sophisticated custom ShadowPad IIS Listener module to transform compromised servers into a resilient, distributed relay network. This advanced tactic allows the threat actors to route malicious traffic through victim infrastructure, effectively turning hacked organizations into an interconnected mesh of command-and-control nodes. This evolution in tradecraft, identified by Check Point Research, significantly complicates detection and attribution efforts for cybersecurity professionals.
The operation, attributed to a group also known as Earth Alux or REF7707, begins by exploiting pre-existing vulnerabilities. Common entry points include well-known flaws in ASP.NET ViewState deserialization and SharePoint vulnerabilities such as ToolShell. Attackers can achieve remote code execution either by leveraging leaked machine keys or targeting unpatched endpoints, leading to a full system compromise.
The ShadowPad IIS Listener Mechanism
The core of this campaign’s innovation lies in a custom Internet Information Services (IIS) module, which acts as a listener. Unlike traditional backdoors that might open specific ports, this module utilizes the HttpAddUrl API to register dynamic URL listeners. These listeners are programmed to intercept specific HTTP requests that match a predefined pattern.
When a matching request is intercepted, the ShadowPad IIS Listener module decrypts the payload. This decryption determines whether the traffic contains a command intended for the attackers. In a significant stealth maneuver, if the intercepted traffic does not conform to the module’s proprietary protocol, it is forwarded to the legitimate IIS worker process. This ensures that normal web content is served to unsuspecting users, preventing immediate suspicion and maintaining operational continuity.
This method of covert interception allows the implant to coexist with legitimate applications running on the compromised server without disrupting service availability. The module employs a specific decryption routine for initial packets, a security measure designed to ensure that only authorized operator traffic is processed and acted upon. This selective processing is crucial for maintaining the integrity of the hidden communication channel.
The malware further enhances its resilience and evasion capabilities by maintaining separate lists for server and client nodes within its architecture. This organizational structure allows the implant to automatically pair connections, facilitating the relay of data between different compromised machines. This capability enables attackers to bridge communications across networks that are not directly linked, making the task of tracing the true origin of attacks considerably more challenging and complicating remediation efforts.
According to Check Point researchers, this group, also referred to as Ink Dragon, has moved beyond simple data theft. They are actively repurposing compromised systems to bolster their ongoing operations against other targets. This strategic reuse of compromised assets represents a mature operational philosophy focused on long-term stealth, enhanced resilience, and the continuous expansion of their operational reach.
The modular architecture of the ShadowPad IIS Listener provides attackers with persistent access to compromised systems and the ability to move laterally across internal networks. By integrating with native IIS capabilities, command traffic can be cleverly hidden within standard HTTP streams. This makes it exceptionally difficult for network defenders to distinguish malicious communications from legitimate web traffic while monitoring standard protocols.
This evolving threat landscape necessitates continuous vigilance and adaptation in cybersecurity defenses. The reliance on established vulnerabilities, coupled with custom evasion techniques, highlights the persistent threat posed by advanced persistent threats (APTs). As attackers refine their methodologies, organizations must prioritize robust vulnerability management and advanced threat detection solutions to counter these sophisticated incursions.
The detailed analysis by Check Point provides valuable insights into the operational tactics of this threat group. Future efforts will likely focus on dissecting the full extent of their infrastructure and understanding the specific types of targets being pursued. The ongoing development of custom modules like the ShadowPad IIS Listener suggests a continuous arms race between attackers and defenders, with organizations needing to stay ahead of emerging threats.