ShadowPad IIS Listener is a custom module integrated with the ShadowPad backdoor malware, developed and deployed by the Chinese state-aligned threat actor known as Ink Dragon (also tracked as Earth Alux or REF7707).
This module specifically targets Microsoft Internet Information Services (IIS) web servers, transforming compromised systems into stealthy command-and-control (C2) relay nodes within a distributed network. By hijacking legitimate web traffic, it allows attackers to route malicious communications through victim infrastructure, enhancing operational resilience, obscuring origins, and enabling lateral movement across unrelated networks for espionage and further attacks.
How It Works
The module operates by embedding itself into the IIS environment without disrupting normal operations, blending covert channels with standard HTTP traffic for evasion. Key mechanisms include:
• Dynamic URL Registration: It uses the Windows HttpAddUrl API to set up pattern-matched URL listeners dynamically, avoiding fixed ports that could trigger alerts.
• Traffic Handling and Decryption: Incoming requests are inspected; those matching the malware’s proprietary protocol are decrypted (using a custom routine based on a linear congruential generator for XOR-based decryption of initial packets) to process commands. Legitimate requests are transparently forwarded to the IIS worker process to maintain web service availability.
• Relay Functionality: It maintains separate lists of upstream servers and downstream clients, automatically pairing connections to bridge data across the network. This creates a mesh where one victim’s server can relay traffic for attacks on others.
• Stealth and Logging: Features like granular debug logging (for attacker analysis) and seamless integration with existing apps ensure long-term persistence without performance degradation or detection.
This architecture makes the relay network highly adaptable and difficult to dismantle, as disabling one node doesn’t isolate the entire operation.
Use in Attacks
Ink Dragon deploys the ShadowPad IIS Listener in targeted campaigns against government, telecom, and critical infrastructure sectors in Europe, Asia, and Africa. The infection chain typically starts with exploiting unpatched vulnerabilities for initial remote code execution (RCE):
• ASP.NET ViewState Deserialization Flaws: Allows arbitrary code injection via manipulated serialized data.
• SharePoint Vulnerabilities (e.g., ToolShell exploits): Targets collaboration platforms for privilege escalation.
• Leaked Machine Keys or Weak Endpoints: Facilitates RCE on exposed IIS instances.
Post-compromise, the module is loaded to repurpose the server as a C2 relay, supporting data exfiltration, lateral pivoting, and proxying attacks on new targets. This “turning servers against themselves” approach maximizes each breach’s value, with campaigns observed as recently as December 2025. While specific indicators of compromise (IOCs) like file hashes aren’t detailed in public reports, monitoring for anomalous HTTP patterns or unauthorized IIS module registrations is recommended for detection.