Shadow Force Group’s Viticdoor and CoinMiner

The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign as there was the possibility of it being the activities of an existing threat group. However, no relevant threat group information has been found for over three years since the release of the analysis report, and it thus seems to be a group active in Korea. In July 2022, KRCert published the details of their analysis of the Shadow Force group’s additional breach through their report “Analysis of Lateral Movement Strategies Using TTPs#7 SMB Admin Share”. In October 2022, AhnLab announced that the PE-modifying iatinfect.exe file is continuously being detected.

This report covers the changes made to existing malware and new malware discovered through tracking recent activities of the Shadow Force group. There are continued reports of file modification using Iatinfect.exe, while the usage rate of the backdoor used in the past has decreased. Instead, there have been cases where other backdoors such as Viticdoor were used, and since December 2021, cryptocurrency miners were being installed alongside them. The threat actor has been using the same file name and similar malware and tools since 2014, making it easier to identify them.


ATIP_2023_Shadow Force Group’s Viticdoor and CoinMiner


AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] post Shadow Force Group’s Viticdoor and CoinMiner appeared first on ASEC […]


[…] CLRSQL SqlShell implemented with PingCastle is also used during the ShadowForce threat group’s attack processes. ShadowForce is a threat group that has been active since 2013. They are known for their attacks focused on Korean businesses and agencies. Their tendency to mainly attack MS-SQL servers is one of their defining characteristics. [5] […]


[…] PingCastle が一緒に実装された CLRSQL SqlShell は、ShadowForce の攻撃プロセスでも使用される。ShadowForce 攻撃グループは2013年から確認されている攻撃グループであり、主に韓国の企業と機関を攻撃してきたことが分かっている。特徴としては、主に MS-SQL サーバーを攻撃対象にするという点がある。[5] [6] […]