FINALDRAFT and ShadowPad toolchain activity
Malware Activity
Summary
Hide ▲
Show ▼
A new FINALDRAFT malware variant and ShadowPad tooling are being used to increase stealth and exfiltration throughput inside compromised networks. The activity supports stealthy lateral movement and multi-stage deployment, raising the risk that one foothold can spread and persist. The malware chain affects Windows and Linux environments and is part of an intrusion toolkit that also uses Cobalt Strike and web shells.
Related Happenings
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
OpenClaw outbound-mail approval gates and trust-scoped connector controls
Defensive Guidance
H score11
First: 11.06.2026 20:46
Last: 11.06.2026 20:46
Sources 1
About this happening:
OpenClaw operators are adding **outbound-mail approval gates**, **trust-scoped connector access**, and **human approval** for risky actions to reduce **agent phishing** and unauth...
OpenClaw outbound-mail approval gates and trust-scoped connector controls
Defensive GuidanceAbout this happening: OpenClaw operators are adding **outbound-mail approval gates**, **trust-scoped connector access**, and **human approval** for risky actions to reduce **agent phishing** and unauth...
Glassworm botnet command-and-control disruption
Malware Activity
H score10
First: 27.05.2026 17:00
Last: 27.05.2026 17:00
Sources 1
About this happening:
The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
Glassworm botnet command-and-control disruption
Malware ActivityAbout this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
H score31
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityAbout this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware Activity
H score22
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware ActivityAbout this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
Timeline
-
17.12.2025 13:12 2 articles · 6mo ago
FINALDRAFT variant and ShadowPad relay tooling described
Technical Analysis UpdateCheck Point described a new FINALDRAFT variant with enhanced stealth, higher exfiltration throughput, and a modular command framework that pushes encoded command documents to a victim mailbox, where the implant pulls, decrypts, and executes them. The activity also uses ShadowPad Loader and a custom ShadowPad IIS Listener to turn compromised IIS and SharePoint servers into relay infrastructure, support command proxying, and enable reconnaissance, payload staging, and lateral movement across Windows and Linux environments.
Show sources
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware — thehackernews.com — 17.12.2025 13:12
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware — thehackernews.com — 17.12.2025 13:12