LABScon Replay | Chasing Shadows | The Rise of a Prolific Espionage Actor

In an engaging exploration at LABSCon, Kris McConkey unveils the evolution and significance of a cyber espionage actor, dubbed as a “superpower” in the digital espionage arena. This actor, initially engaged in phishing campaigns, has matured into one of the most technically sophisticated and deeply entrenched entities in cyber espionage.


Tracing back over a decade, public and private intelligence reports have consistently highlighted the actor’s growing sophistication. From early stages marked by widespread malware distribution, such as PlugX and ShadowPad, to a more controlled dissemination of advanced tools like Crosswalk and Sidewalk, the actor has demonstrated a strategic tightening of their operational framework.

Technical Sophistication

The actor’s technical prowess is evident through the use of ShadowPad, a tool first emerged around 2015, with SentinelOne offering a comprehensive analysis on its evolution. Notably, ShadowPad has been adopted by at least 13 distinct threat actors, showcasing its wide influence. Introducing ScatterBee loader in 2020 marked a significant technical leap, showcasing advanced obfuscation techniques that complicate malware analysis efforts.

Operational Tactics

The presentation delves into the operational intricacies of the espionage actor, including their unique approach to malware loading and execution. A notable shift was observed in August 2022, with the discovery of a new ShadowPad variant that employed a novel execution mechanism, further emphasizing the actor’s ongoing innovation and adaptation.

Global Reach and Sector Focus

The actor’s operational scope is global, impacting over 35 countries across various sectors. This widespread engagement underscores the actor’s strategic intent and capability to infiltrate various targets, from governmental bodies to the telecommunications sector. Their focus extends to high-value targets, leveraging tailored malware like FunnySwitch and Spider for specific operations.

Infrastructure and Techniques

An in-depth analysis of the actor’s infrastructure reveals a multi-layered approach, involving relay networks and virtual private servers to obfuscate their activities. This infrastructure supports various capabilities, from direct victim access to sophisticated tunneling techniques, enabling the actor to maintain a persistent threat landscape.

Insights Based on Numbers

  • The actor has evolved over ten years, highlighting their long-term presence and impact.ShadowPad has been utilized by 13 distinct threat actors, indicating its widespread adoption.
  • The espionage network has targeted over 35 countries, demonstrating its global reach.

In conclusion, the rise of this espionage actor from modest beginnings to becoming a formidable force in cyber espionage illustrates a significant shift in the cyber threat landscape. Their ability to innovate, adapt, and execute sophisticated cyber operations underscores the need for advanced defensive strategies and international cooperation to counteract their pervasive influence.

Watch the full presentation:

About the Presenter

Kris leads PwC’s Global Cyber Threat Intelligence practice, which tracks a wide variety of targeted threat actors operating from more than 25 countries.

Kris also leads the EMEA Cyber Threat Operations practice – a front line technical services group responsible for a portfolio of defensive and offensive cyber security services to help clients detect and respond to cyber security threats and incidents. He has spent the past 17 years at PwC delivering cyber incident response, threat hunting and threat research services to global clients.

About LABScon 2023

This presentation was featured live at LABScon, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.