FINALDRAFT and ShadowPad toolchain activity
Malware Activity
Summary
Hide ▲
Show ▼
A new FINALDRAFT malware variant and ShadowPad tooling are being used to increase stealth and exfiltration throughput inside compromised networks. The activity supports stealthy lateral movement and multi-stage deployment, raising the risk that one foothold can spread and persist. The malware chain affects Windows and Linux environments and is part of an intrusion toolkit that also uses Cobalt Strike and web shells.
Related Happenings
Glassworm botnet command-and-control disruption
Malware Activity
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityAbout this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityAbout this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware Activity
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware ActivityAbout this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
Havoc Demon payload deployment and persistence operation
Malware Activity
First: 03.03.2026 19:15
Last: 03.03.2026 19:15
Sources 1
About this happening:
A **fake IT support** operation is deploying **Havoc Demon** payloads to preserve access across compromised endpoints and support likely **data exfiltration** or **ransomware** fo...
Havoc Demon payload deployment and persistence operation
Malware ActivityAbout this happening: A **fake IT support** operation is deploying **Havoc Demon** payloads to preserve access across compromised endpoints and support likely **data exfiltration** or **ransomware** fo...
RESTLEAF malware stack using Zoho WorkDrive C2 and removable media
Malware Activity
First: 27.02.2026 14:43
Last: 27.02.2026 14:43
Sources 1
About this happening:
A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...
RESTLEAF malware stack using Zoho WorkDrive C2 and removable media
Malware ActivityAbout this happening: A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...
Latest development: 27.02.2026 21:21
APT37's Ruby Jumper campaign uses a malicious Windows shortcut file (LNK) and PowerShell to load RESTLEAF, then adds a Ruby-based loader, SNAKEDROPPER, plus THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to move data between internet-connected and air-gapped systems. The tooling relies on Zoho WorkDrive C2, installs a disguised Ruby 3.3.0 runtime as usbspeed.exe, modifies RubyGems operating_system.rb, and weaponizes removable drives to relay commands, stage files, exfiltrate data, and spread to new air-gapped machines.
Timeline
-
17.12.2025 13:12 2 articles · 5mo ago
FINALDRAFT variant and ShadowPad relay tooling described
Technical Analysis UpdateCheck Point described a new FINALDRAFT variant with enhanced stealth, higher exfiltration throughput, and a modular command framework that pushes encoded command documents to a victim mailbox, where the implant pulls, decrypts, and executes them. The activity also uses ShadowPad Loader and a custom ShadowPad IIS Listener to turn compromised IIS and SharePoint servers into relay infrastructure, support command proxying, and enable reconnaissance, payload staging, and lateral movement across Windows and Linux environments.
Show sources
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware — thehackernews.com — 17.12.2025 13:12
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware — thehackernews.com — 17.12.2025 13:12