TA-ShadowCricket, formerly known as Shadow Force, is an advanced persistent threat (APT) group that has been conducting a covert cyber espionage campaign for over a decade. Exposed through a joint investigation by South Korea’s AhnLab and the National Cyber Security Center (NCSC), the group has compromised more than 2,000 systems in 72 countries since 2012. Their primary targets are government institutions and enterprise networks in the Asia-Pacific region. Unlike typical financially motivated cybercriminals, TA-ShadowCricket operates with long-term goals, favoring persistent access and data exfiltration over immediate monetary gain.
The group uses a sophisticated three-phase attack lifecycle that begins with reconnaissance.
Using tools like Upm and SqlShell to map out Active Directory and identify vulnerabilities in legacy systems. The second phase involves remote control through backdoors such as Maggie, a SQL Server Extended Stored Procedure, and Sqldoor, a legacy IRC bot. These tools are strategically chosen to evade detection by blending in with legitimate network traffic. In the final phase, the group deploys malware like CredentialStealer and Pemodifier to maintain long-term access. These tools hijack system binaries, allowing them to harvest credentials and run cryptocurrency miners while appearing benign.
TA-ShadowCricket’s infrastructure centers around an IRC server hosted on a South Korean IP address that functions as the command-and-control hub. Network analysis revealed that most administrative logins to this server originated from Chinese IP ranges, including those tied to China Unicom and China Telecom. Additionally, the group’s infection vector relies heavily on unsecured Remote Desktop Protocol (RDP) endpoints, which grant initial access before attackers move laterally through compromised networks. Encoded IRC channels separate different operational functions, allowing the group to conduct credential theft, mining, and lateral movement simultaneously without interfering with one another.
Attribution remains challenging despite clear signs of Chinese involvement. Some infrastructure elements and code snippets resemble those used by Chinese state-affiliated groups such as APT41 and BlackTech. However, the presence of cryptocurrency miners and Mandarin-language nicknames in the malware suggests hybrid motives. Analysts speculate that TA-ShadowCricket could be a state-sponsored entity disguising its operations as cybercrime or a criminal group leveraging tools once used by military contractors. Their focus on strategically sensitive targets, including Taiwanese semiconductor firms and Vietnamese maritime organizations, supports geopolitical motives, even though their techniques diverge from those typically seen in operations directly linked to China’s military.
Reference:
