
AhnLab and South Korea’s National Cyber Security Center (NCSC) have released a detailed joint report on a persistent and sophisticated threat group—TA-ShadowCricket, formerly known as Shadow Force. The group, believed to be linked to China, has quietly operated for over a decade, targeting government and enterprise networks across the Asia-Pacific region.
“The threat actor has been active in countries in the Asia-Pacific region, including South Korea, since 2012,” the report states.
Following its “Threat Actor Naming and Taxonomy,” AhnLab initially categorized the unknown group as Larva-24013. Subsequent analysis of malware samples and infrastructure led to its identification as an “Arthropod”-level actor named TA-ShadowCricket. This reclassification was supported by forensic evidence linking the group to the Shadow Force malware lineage.
“AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware… and has confirmed their association with the Shadow Force group.”
Central to the group’s operations is an IRC server acting as a command-and-control hub. This server, hosted with a Korean IP address, was found controlling over 2,000 compromised systems in 72 countries.
“Analysis of this system has identified over 2,000 affected IPs in 72 countries worldwide,” with notable concentrations in China (895), Korea (457), and India (98).
The attackers accessed these systems primarily via Remote Desktop Protocol (RDP), and some control sessions were traced to Chinese IP addresses, further suggesting geopolitical motivations.
TA-ShadowCricket’s toolset spans a structured three-stage infection model:
- Stage 1: Reconnaissance & Access
- Tools like Upm and SqlShell perform privilege escalation and system reconnaissance.
- Downloaders and command execution tools initiate infections.
- Stage 2: Remote Control
- Maggie and Sqldoor backdoors facilitate command execution.
- Legacy tools like Wgdrop (an IRC bot) remain in use for botnet operations.
- Stage 3: Persistence & Monetization
- Malware such as CredentialStealer, Detofin (hooking APIs), and Miner (cryptocurrency mining) sustain long-term control and data collection.
Notably, TA-ShadowCricket continues to use Pemodifier—a patching tool for injecting malicious DLLs into system binaries—and has adopted Maggie malware as a modern backdoor that operates via SQL stored procedures.
“The Maggie malware is written as an Extended Stored Procedure (ESP) supported by MS SQL Server, and can be controlled by SQL queries.”
Unlike many contemporary APTs that engage in ransomware or data extortion, TA-ShadowCricket’s modus operandi is characterized by long-term stealth and espionage.
“The TA-ShadowCricket group has been active for over 13 years, quietly stealing information and not demanding money or releasing the stolen information on the dark web.”
This long-term persistence hints at either state-level intelligence gathering or a highly disciplined cybercrime syndicate preparing infrastructure for future disruptive operations, such as DDoS attacks.
While C2 server access from Chinese IPs and the geographic targeting suggest a Chinese nexus, the inclusion of coin miners and embedded nicknames within malware complicates attribution.
“There are indications of a possible link to China. However, the presence of a nickname embedded in the malware and the deployment of CoinMiners raise questions about whether this is truly a state-sponsored APT group.”
Related Posts:
- ToddyCat: Unveiling the Stealthy APT Group Targeting Asia-Pacific Governments
- Operation SalmonSlalom: New Malware Campaign Targets Industrial Organizations in Asia-Pacific
- German defense minister: cyber attacks are the biggest threat to global stability
- Advanced Cyber Espionage: SugarGh0st RAT Attacks Uzbek and South Korean Entities
- China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector