Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking
AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present.
Full Report: (APT Group Tracking Report) TA-ShadowCricket_2025.05.23.pdf
Since November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket.
TA-ShadowCricket group
TA-ShadowCricket is a threat group formerly known as Shadow Force, and is believed to be associated with China.
The threat actor has been active in the Asia-Pacific region, including South Korea, since 2012. They mainly targeted externally exposed Windows servers’ remote access feature or poorly managed Microsoft SQL (MS-SQL) servers to install IRC bots or backdoors.
Some of the TA-ShadowCricket malware and tools include keywords that appear to be related to the threat actor, such as ‘Melody’, ‘Syrinx’, and ‘WinEggDrop’.
Analyzing IRC Server
As of now, the threat group continues to operate an IRC server with the same domain name, and a Korean IP address is currently connected to this domain. AhnLab and NCSC have obtained the system in which the IRC server is installed and used as a C&C server. Analysis of this system has identified over 2,000 affected IPs in 72 countries worldwide.
It was confirmed that TA-ShadowCricket operated IRC botnet devices, and the affected IPs by regions are as follows: 895 in China, 457 in Korea, 98 in India, 94 in Vietnam, 44 in Taiwan, 38 in Germany, 37 in Indonesia, 31 in Thailand, and 25 in the United States.
The attacker accessed and controlled the victim systems via RDP from July 2020 to February 2025. Some of the connections were initiated from IPs located in China.
Malware & Tools Used by TA-ShadowCricket
During the 10-year period of activity, various malware and tools used by TA-ShadowCricket have been identified. While some malware and attack tools have evolved significantly over time, others have remained in active use.
The malware and tools used by the TA-ShadowCricket group after breaching the system can be categorized into the following stages.
The process of installing and operating malware after a breach can be broadly divided into three stages.
Stage 1 involves downloading and installing malware, using downloaders and command execution tools. Stage 2 usually involves deploying backdoors, while Stage 3 involves installing malware for additional malicious behaviors.
The following malware and tools have been in use by TA-ShadowCricket since 2023.
|
Phase |
Type |
Time |
Name |
Main Features |
|
Stage 1 |
Reconnaissance and Additional Malware Installation |
2023- |
Upm |
Privilege Escalation, System Information Collection, and Additional Malware Download and Installation |
|
Reconnaissance and Additional Malware Installation |
2023- |
SqlShell |
Privilege Escalation, System Information Collection, and Additional Malware Download and Installation |
|
|
Downloader |
2024 |
Downloader |
Download Backdoor from FTP |
|
|
File Patch |
2014- |
Pemodifier |
Patch for Normal Execution File for Persistence |
|
|
Stage 2 |
Backdoor |
2021- |
Maggie |
Remote Command Execution |
|
Backdoor |
2012- |
Wgdrop |
IRC Bot, Remote Command Execution |
|
|
Backdoor |
2019-2024 |
Sqldoor |
Execute Remote Command |
|
|
Stage 3 |
Data Collection |
2023- |
CredentialStealer |
Credential Theft |
|
Hooking |
2024- |
Detofin |
Using Detour to hook specific APIs |
|
|
CoinMiner |
2021- |
Miner |
Coin Mining |
|
|
Scanner |
2023- |
MaggieScan |
Scanner for finding vulnerable MS-SQL servers |
|
|
Account |
2021- |
ShadUser |
Account Management and Data Collection |
|
|
Tool |
2024 |
AddPath |
Add Windows Defender Exclusion Path |
|
|
Network |
2021- |
Fport/Mport |
Port Mapping |
The threat actor uses Pemodifier, a tool that patches Windows executable files, to modify files required for system operation in order to load a malicious DLL file. The tool is named iat.exe or iatinfect.exe.
The Shadowforce malware, which has been used as a backdoor since 2021, has gradually been replaced by the Maggie malware. However, the malware continues to use the file name ntuser.dat. The tool with different features such as adding users and changing RDP settings uses the file name re.0001.
While many backdoors connect to designated C&C servers to receive commands, the backdoors used by the TA-ShadowCricket group do not have fixed C&C servers.
The Shadowforce malware activates the backdoor by installing the WinPcap packet capture library and sending network packets with a specific signal (Magic Sequence). The Maggie malware is written as an Extended Stored Procedure (ESP) supported by MS SQL Server, and can be controlled by SQL queries.
In some of the affected systems, the installation of keyloggers, credential stealers, and cryptocurrency miners was also confirmed.
Conclusion
For over 10 years, the TA-ShadowForce group has been active in the Asia region with Korea as its base. The threat actor has maintained the same attack momentum, such as continuously using malware and tools with the same file names.
However, due to limited coverage by security companies and organizations, detailed information about this threat group remains scarce.
Unlike other threat actors, the TA-ShadowCricket group has been active for over 13 years, quietly stealing information and not demanding money or releasing the stolen information on the dark web after their breach.
TA-ShadowCricket continue to manage their C2 servers and maintain control over thousands of compromised systems. This sustained activity suggests they are securing a foundation for future operations, such as launching large-scale DDoS attacks.
Given the tools used, the malware creators, the regions primarily affected, and the fact that the C2 server is accessed from a Chinese IP address, there are indications of a possible link to China. However, the presence of a nickname embedded in the malware and the deployment of CoinMiners raise questions about whether this is truly a state-sponsored APT group.
The joint analysis has confirmed that the TA-ShadowCricket group is still managing their breach systems using IRC bots.
Through the analysis of the IRC server, it was identified that more than 2,000 bots are being operated. To prevent further spread of damage, it is essential to block access to the IRC server and promptly detect, neutralize, and remove the associated malware strains.
