TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

SUMMARY :

The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the Asia-Pacific region since 2012, targeting Windows servers and MS-SQL servers. They operate an IRC server with over 2,000 affected IPs in 72 countries. The group uses various malware and tools, including Upm, SqlShell, Maggie, and Wgdrop. Their activities involve three stages: initial access and reconnaissance, backdoor deployment, and additional malicious behaviors. The group has connections to China and has been quietly stealing information for over 13 years without demanding ransom or releasing stolen data. Their persistent activity suggests preparation for potential large-scale attacks in the future.

OPENCTI LABELS :

china,apt,malware,ms-sql,botnet,miner,irc,sqlshell,windows servers,credentialstealer,maggiescan,detofin,upm,pemodifier,sqldoor,maggie,wgdrop,shaduser,asia-pacific


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking