Intel Name: State-sponsored tactics: how gamaredon and shadowpad operate and rotate their infrastructure
Date of Scan: April 10, 2025
Impact: High
Summary: Researchers have analyzed the infrastructure tactics of two state-sponsored groups: Gamaredon (linked to Russia) and RedFoxtrot/ShadowPad (linked to China). Gamaredon targets Ukrainian, Western, African, and NATO entities, using low-frequency DNS techniques, rapidly changing IPs, and a reusable TLS certificate for its .ru domains, making takedown difficult. Meanwhile, RedFoxtrot employs dynamic DNS services, spoofed certificates, and JA4X fingerprinting, delivering the ShadowPad backdoor via DLL side-loading, often facilitated by PowerShell and batch scripts.
