Full Report
2025-02-18 • Orange Cyberdefense • Alexis Bonnefoi, Marine PICHON • win.nailao_locker, win.plugx, win.shadowpad Open article on Malpedia
Analysis Summary
# Threat Actor: Nailao Campaign (Associated with NailaoLocker, ShadowPad)
## Attribution & Identity
The provided context does not explicitly name the responsible threat actor or attribute the campaign to a specific APT group. The summary focuses on the activity designated as the "Nailao campaign."
## Activity Summary
The primary activity described is the **Nailao campaign**, which utilizes the malware NailaoLocker and ShadowPad.
## Tactics, Techniques, & Procedures
Based on the listed malware families associated with the campaign:
- Use of **NailaoLocker** (likely ransomware or custom malware).
- Use of **ShadowPad** (a known backdoor).
- Use of **PlugX** (a known remote access tool/loader).
*(Note: Specific granular TTPs like specific MITRE ATT&CK techniques were not detailed in the provided input outside of the malware association.)*
## Targeting
- Sectors: Not specified in the current context.
- Geography: Not specified in the current context.
- Victims: Not specified in the current context.
## Tools & Infrastructure
- Malware families used:
- NailaoLocker
- ShadowPad
- PlugX
- Infrastructure: No specific C2 infrastructure (URLs, IPs) were provided in the input for defanging.
## Implications
The use of established tools like ShadowPad and PlugX alongside custom or new malware (NailaoLocker) suggests a sophisticated adversary capable of deploying multi-stage attacks, potentially involving initial access, persistence, and data exfiltration/encryption.
## Mitigations
- Focus defenses on detecting and blocking the known malware families: NailaoLocker, ShadowPad, and PlugX.
- Review network observability for command and control communications associated with these trojans.