Backdoor:Win32/Shadowpad

Guidance for end users

For more tips on how to keep your device safe, go to the Microsoft security help & learning portal. 

To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.

Guidance for enterprise administrators

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. 

• Keep public-facing servers up to date to defend against malicious activity. As prime targets for threat actors, public-facing servers need additional monitoring and security. User input validation, file integrity monitoring, behavioral monitoring, and web application firewalls can all help to better secure these servers.
• Use network monitoring and intrusion detection systems to identify unusual or unauthorized network traffic.
• Mitigate the risk of compromised valid accounts by enforcing strong multifactor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in methods (for example, Windows Hello, FIDO2 security keys, or Microsoft Authenticator), password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
• Use a cloud-based identity security solution that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities.
• Use risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and turn on MFA for medium-risk ones.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.