RST TI Report Digest: 24 Feb 2025

Shadowpad—historically used for espionage by APT41—has been updated to deliver a previously unseen ransomware strain; attackers gained remote access to 21 companies by exploiting weak administrative credentials and bypassing multi-factor authentication, then installed Shadowpad to enable theft, keylogging, and encrypted ransomware deployment using AES/RSA and evasive techniques such as DNS over HTTPS. The report includes extensive indicators of compromise (IP address, multiple malicious domains, and numerous SHA-256 hashes) and links the activity to intelligence-gathering objectives, particularly targeting manufacturing intellectual property.