Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware

Feb 20, 2025Ravie LakshmananRansomware / Vulnerability

A previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker in some cases.

The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, involved the exploitation of a new-patched security flaw in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5). The attacks were observed between June and October 2024.

“The campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions,” the company said in a technical report shared with The Hacker News.

The initial access afforded by exploitation of vulnerable Check Point instances is said to have allowed the threat actors to retrieve user credentials and to connect to the VPN using a legitimate account.

In the next stage, the attackers carried out network reconnaissance and lateral movement via remote desktop protocol (RDP) to obtain elevated privileges, followed by executing a legitimate binary (“logger.exe”) to sideload a rogue DLL (“logexts.dll”) that then serves as a loader for a new version of the ShadowPad malware.

Previous iterations of the attacks detected in August 2024 have been found to leverage similar tradecraft to deliver PlugX, which also employs DLL side-loading using a McAfee executable (“mcoemcpy.exe”) to sideload “McUtil.dll.”

Like PlugX, ShadowPad is a privately sold malware that’s exclusively used by Chinese espionage actors since at least 2015. The variant identified by Orange Cyberdefense CERT features sophisticated obfuscation and anti-debug measures, alongside establishing communication with a remote server to create persistent remote access to victim systems.

There is evidence to suggest that the threat actors attempted to exfiltrate data by accessing the file system and creating ZIP archives. The intrusions culminate with the use of Windows Management Instrumentation (WMI) to transmit three files, a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd (“usysdiag.exe”), a loader named NailaoLoader (“sensapi.dll”), and NailaoLocker (“usysdiag.exe.dat”).

Once again, the DLL file is sideloaded via “usysdiag.exe” to decrypt and trigger the execution of NailaoLocker, a C++-based ransomware that encrypts files, appends them with a “.locked” extension, and drops a ransom note that demands victims to make a bitcoin payment or contact them at a Proton Mail address.

“NailaoLocker is relatively unsophisticated and poorly designed, seemingly not intended to guarantee full encryption,” researchers Marine Pichon and Alexis Bonnefoi said.

“It does not scan network shares, it does not stop services or processes that could prevent the encryption of certain important files, [and] it does not control if it is being debugged.”

Orange has attributed the activity with medium confidence to a Chinese-aligned threat actor owing to the use of the ShadowPad implant, the use of DLL side-loading techniques, and the fact that similar ransomware schemes have been attributed to another Chinese threat group dubbed Bronze Starlight.

What’s more, the use of “usysdiag.exe” to sideload next-stage payloads has been previously observed in attacks mounted by a China-linked intrusion set tracked by Sophos under the name Cluster Alpha (aka STAC1248).

While the exact goals of the espionage-cum-ransomware campaign are unclear, it’s suspected that the threat actors are looking to earn quick profits on the side.

“This could help explain the sophistication contrast between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to mimic ShadowPad’s loading techniques,” the researchers said. “While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!