A sophisticated hacker group, identified as TA-ShadowCricket, has been conducting cyber espionage across government and enterprise networks in the Asia-Pacific region for over a decade. Linked to China, the group is known for its stealthy and persistent operations that focus on intelligence gathering rather than financial gain.
First detected in 2012 under names like Shadow Force and Larva-24013, TA-ShadowCricket has quietly infiltrated critical infrastructure, avoiding detection while maintaining long-term access to targeted systems.
Unlike typical ransomware gangs, the group does not demand ransoms or release stolen data. Instead, it focuses on surveillance and maintaining control inside networks for extended periods.
Attack Methods and Infrastructure
TA-ShadowCricket uses Remote Desktop Protocol (RDP) exploits and abuses SQL credentials to gain access to target networks. Its command-and-control (C2) infrastructure operates through an IRC server hosted on a Korean IP address. This server reportedly manages over 2,000 compromised systems in 72 countries.
Major clusters of infected systems are found in China (895 systems), South Korea (457), and India (98), suggesting the group’s actions are tied to geopolitical interests.
Security analysts at SecurityOnline have traced many control sessions back to Chinese IP addresses. AhnLab researchers, working with South Korea’s National Cyber Security Center, confirmed the group’s links to earlier Shadow Force activity through malware analysis and infrastructure comparison.
Strategic Goals and Behavior
Experts believe the group may be involved in state-sponsored intelligence work or preparing for future disruptive campaigns, including potential distributed denial-of-service (DDoS) attacks. Their quiet approach has made detection difficult, and researchers note that the group has avoided public exposure or ransom demands for over 13 years.
Three-Stage Infection Process
TA-ShadowCricket’s attack model includes three key stages designed to ensure persistence and control:
Initial Reconnaissance: Tools like Upm and SqlShell are used for privilege escalation and scanning the system. These are followed by downloaders that prepare the system for deeper access.
Remote Access Deployment: The group uses backdoors such as Maggie and Sqldoor. Maggie, in particular, is inserted as an Extended Stored Procedure (ESP) on Microsoft SQL Servers, allowing hidden remote control through normal SQL queries.
Persistence and Monetization: The final stage includes tools for stealing credentials, malware like Detofin for API hooking, and even cryptocurrency miners, which help fund operations and ensure continued system access.
