Bedrock Safeguard Threat Intelligence Report — February 2026
During routine threat hunting operations, Bedrock Safeguard identified command-and-control (C2) infrastructure consistent with the ShadowPad malware framework operating from a major Canadian cloud provider in Ontario. ShadowPad is a modular backdoor platform historically attributed to Chinese state-sponsored threat groups, primarily APT41 (also known as Winnti, Barium, and Wicked Panda).
This discovery represents a significant finding: state-sponsored offensive cyber infrastructure operating directly from Canadian soil, targeting organizations both domestically and internationally. Full technical details have been submitted to the appropriate Canadian authorities.
Specific indicators of compromise (IP addresses, file hashes, certificate details, and JARM fingerprints) are withheld from this public summary to protect the integrity of the ongoing investigation and law enforcement proceedings.
| Technique ID | Technique | Usage |
|---|---|---|
| T1574.002 | DLL Side-Loading | Legitimate signed executable loads malicious DLL |
| T1027 | Obfuscated Files or Information | Multi-layer encrypted payload with high entropy |
| T1497 | Virtualization/Sandbox Evasion | Detects analysis environments and halts execution |
| T1106 | Native API | Dynamic API resolution via GetProcAddress |
| T1071.001 | Application Layer Protocol: Web | C2 communication over TLS-encrypted custom protocol |
| T1547.001 | Boot or Logon Autostart Execution | Persistence via startup directory |
| T1105 | Ingress Tool Transfer | Downloads payload archive from staging infrastructure |
| T1059.001 | Command and Scripting: PowerShell | PowerShell used for download and execution chain |
ShadowPad is a modular backdoor platform that has been used in espionage campaigns since at least 2017. Originally discovered as a supply chain compromise in server management software, it has since become a shared tool among multiple Chinese state-sponsored groups. Its modular architecture allows operators to deploy plugins for keylogging, screen capture, file exfiltration, and lateral movement.
The framework is notable for its sophisticated anti-analysis capabilities, including multiple layers of encryption, virtual machine detection, and debugger evasion. ShadowPad campaigns have targeted government agencies, critical infrastructure, telecommunications providers, and technology companies worldwide.
This investigation was conducted by Bedrock Safeguard's threat intelligence team using a combination of static malware analysis, infrastructure reconnaissance, TLS fingerprinting, and open-source intelligence. Malware samples were obtained from public repositories and analyzed in isolated environments.
Infrastructure mapping was performed using passive scanning, certificate transparency logs, and proprietary correlation techniques. Attribution assessments follow the Admiralty/NATO system and are rated at moderate-to-high confidence based on multiple independent indicators.
Full technical details, including specific indicators of compromise, infrastructure diagrams, and attribution analysis, have been submitted to the Canadian Centre for Cyber Security (CCCS) and the Royal Canadian Mounted Police (RCMP). Bedrock Safeguard supports responsible disclosure and works with law enforcement to ensure that intelligence findings contribute to threat mitigation and, where possible, prosecution.
Government agencies, law enforcement, and qualifying organizations can request a detailed technical briefing including full IOCs, infrastructure maps, and detection signatures.
Request Briefing