Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

The China-linked threat group tracked as Winnti was observed using a new variant of the ShadowPad backdoor in recent attacks targeting Hong Kong universities, ESET’s security researchers report.

The China-linked threat group tracked as Winnti was observed using a new variant of the ShadowPad backdoor in recent attacks targeting Hong Kong universities, ESET’s security researchers report.

Believed to have been active since at least 2009, the Winnti Group is operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, targeting the aviation, gaming, pharmaceuticals, technology, telecommunication, and software development sectors in industrial cyber-espionage campaigns.

In October last year, ESET detailed two new backdoors employed by the hackers, namely PortReuse and the Microsoft SQL-targeting skip-2.0.

One month later, the security researchers discovered a new campaign run by the Chinese hackers, targeting two Hong Kong universities with a new variant of the ShadowPad backdoor, the group’s flagship tool.

A few weeks prior to discovering the backdoor, the Winnti malware was found on computers at these universities.

Campaign identifiers and command and control (C&C) URLs used in these malware samples featured the names of the universities, suggesting a targeted attack. Moreover, the C&C URL format used led the researchers to believe that at least three other Hong Kong universities may have been compromised.

Responding to a SecurityWeek inquiry, ESET researcher Mathieu Tartare revealed that the company did provide assistance to some of the affected universities in remediating the compromise.

“We helped them remediate the compromise and, from our telemetry, it looks like the threat was properly neutralized. However, some universities we did contact did not reply back with any information. Thus, we have no way to check whether they were actually compromised or not and, if that’s the case, if they still are,” Tartare said.

The new ShadowPad launcher, ESET reveals, is much simpler compared to previously analyzed malware samples used by the Winnti Group, and is likely executed via DLL side-loading.

Persistence is achieved through writing the in-memory patched parent process to disk to a specific path. It uses names similar to that of a Microsoft .NET optimization service to avoid suspicion.

The ShadowPad backdoor embeds 17 modules, including an initial shellcode, modules loader, persistence module, several communications modules, a user impersonation module, process and service handlers, keylogger, screenshot capturer, and modules for registry, file system, and command line operations.

ESET also identified a previously undocumented module, called RecentFiles and, as its name suggests, designed to provide a list of recently accessed files.

Based on the observed timestamps, the security researchers believe that the modules were compiled on October 24, several hours before the launcher itself and only a few weeks before the campaign was launched.

Once up and running on a compromised system, ShadowPad starts a hidden and suspended Microsoft Windows Media Player (wmplayer.exe) process and injects itself into it. Next, the malware contacts the C&C server using the URL specified in the configuration — both ShadowPad and Winnti malware samples discovered on machines at the targeted universities at the end of October used similar URLs.

“That these samples, in addition to having been found at these universities, contain campaign IDs matching the universities’ names and use C&C URLs containing the universities’ names are good indications that this campaign is highly targeted,” ESET concludes.

Related: New Winnti Backdoor Targets Microsoft SQL

Related: Researchers Find New Backdoor Used by Winnti Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...