ESET experts discoveredthat during the protests that began back in March 2019, two unnamed universities in Hong Kong were attacked by the Winnti group.
The attacks were detected in November 2019 and began with the discovery of the ShadowPad launcher, which was found on several devices at two universities (and shortly after the previous Winnti infections detected in October of that year). These attacks were targeted because the Winnti malware and the Shadowpad modular backdoor contained C&C URLs and campaign identifiers directly related to the names of the affected schools.
Researchers write that the ultimate goal of the attackers was definitely to collect and steal data from hacked machines. So, the ShadowPad option, detected on infected devices, had the functions of a keylogger and could take screenshots using the functionality of 2 of the 17 modules that are included with the Malware.
It is also noted that during this campaign, the ShadowPad launcher was replaced with a simpler one that did not use VMProtec obfuscation, but used XOR encryption instead of the RC5 block encryption algorithm.
ESET experts believe that at least three other Hong Kong universities could also be attacked by a hack group, and the malware ShadowPad and Winnti were also used in these campaigns.