Researchers from the Solar 4RAYS team have identified a previously unknown modular backdoor dubbed ShadowRelay inside the infrastructure of a Russian government organization. The malware is designed for long‑term, covert presence, loading of additional espionage modules, and remote control of hosts that have no direct access to the internet.
Discovery of the ShadowRelay modular backdoor and APT links
The ShadowRelay incident was investigated in 2025 and is, with high confidence, attributed to an Asia‑based advanced persistent threat (APT) group known as Erudite Mogwai, also tracked as Space Pirates. During certain phases of the intrusion, traces of activity associated with a related cluster dubbed Obstinate Mogwai were also observed, and it was in this period that ShadowRelay was deployed.
These groups have previously been linked in public reporting to modular espionage platforms such as ShadowPad, which are widely used in long‑term cyber‑espionage campaigns. ShadowRelay fits this evolution: a shift from monolithic remote access trojans (RATs) to flexible, framework‑style toolkits that can be customized per operation.
Attack chain: Microsoft Exchange compromised via ProxyShell
The attackers’ initial entry point was an unpatched Microsoft Exchange server deployed in mid‑2024 and not updated in a timely manner. The server was compromised using the well‑known ProxyShell vulnerability chain (CVE‑2021‑34473, CVE‑2021‑34523, CVE‑2021‑31207), which has been under active exploitation worldwide since 2021 in both targeted and opportunistic attacks, according to multiple advisories from Microsoft and CISA.
Forensics revealed that the Exchange server had been targeted by several threat actors. Analysts identified multiple malicious tools, including ShadowPad Light (also known as Deed RAT). Against this crowded backdrop, Solar 4RAYS discovered the new ShadowRelay backdoor, deployed during the suspected activity window of Obstinate Mogwai.
Architecture and capabilities of ShadowRelay
Modular plugin-based espionage platform
ShadowRelay is a modular platform in which the core backdoor acts as a framework, while specific functionality is implemented through downloadable plugins. In its base configuration, the implant does not expose explicit espionage or destructive functions but can fetch and execute them on demand from the operators’ command‑and‑control (C2) servers.
A notable feature is the ability of ShadowRelay instances to communicate and coordinate with each other, including across systems that lack direct internet connectivity. Attack logic and operational playbooks are moved into plugins, which complicates analysis: even if defenders obtain the main binary, they cannot fully assess the backdoor’s capabilities without the associated modules.
In the investigated case, Solar 4RAYS did not find ShadowRelay plugins in the compromised environment, leaving the ultimate objectives of the operation partially unknown. This is typical of modern APT tooling, where operators deploy functionality gradually to reduce their forensic footprint.
Stealth, anti-analysis and work in isolated segments
ShadowRelay uses multiple techniques to remain undetected, including code injection into legitimate processes, reuse of already open network ports, and minimization of artifacts on disk. These approaches reduce the chances of detection by traditional signature‑based antivirus tools.
The backdoor performs extensive checks for debuggers, sandboxes, and signs of reverse engineering. Full functionality is activated only when a specific parameter from its configuration file is present. If environmental checks fail or appear suspicious, ShadowRelay triggers a self‑deletion mechanism, significantly complicating digital forensics and evidence collection.
Solar 4RAYS highlights as particularly dangerous ShadowRelay’s capability to collect data from and control hosts in isolated network segments. The malware creates a mesh of “server” and “client” instances across the infrastructure. An implant in an internet‑facing segment acts as a gateway, relaying commands and exfiltrated data between the external C2 and machines in closed subnets where critical systems and sensitive information are typically located. Similar proxying techniques have been documented in other APT campaigns targeting industrial and government networks.
Risks for government and critical infrastructure networks
Based on its design and tradecraft, ShadowRelay is clearly oriented toward long‑term, covert persistence rather than rapid monetization. This strongly aligns with state‑sponsored espionage operations and not with typical cybercrime campaigns. The ability to span both perimeter systems and deeply segmented networks makes the tool especially dangerous for government agencies and operators of critical infrastructure.
In the analyzed intrusion, Solar 4RAYS reports that ShadowRelay did not have time to steal data or cause tangible disruption. However, the mere presence of such a sophisticated platform inside a government network underscores the high level of preparation and the strategic interest of the attackers in Russian governmental and quasi‑governmental entities.
Defense strategies against ShadowRelay-style attacks
Solar 4RAYS recommends that organizations, particularly in the public sector and critical infrastructure, strengthen network‑ and host‑level detection and prevention. The incident report includes a Snort rule for detecting ShadowRelay network activity, which should be integrated into NIDS/NIPS solutions and SOC monitoring workflows wherever possible.
Key defensive measures include:
1. Rigorous patch management for internet-facing services. Apply security updates promptly to Microsoft Exchange and other exposed systems, and verify that known issues such as ProxyShell are fully remediated.
2. Deployment of EDR/XDR solutions. Use endpoint detection and response tools to spot anomalous process behavior, code injection, and unusual network connections that indicate backdoor activity.
3. Monitoring East–West traffic. Implement detailed monitoring of internal (East–West) network flows to identify lateral movement, hidden proxy channels, and data exchange between network segments.
4. Continuous use of threat intelligence. Regularly update Snort rules, detection signatures, and indicators of compromise (IoCs) from current threat reports, including those related to ShadowPad, Deed RAT, and similar modular platforms.
5. Inspection of isolated network segments. Periodically audit segmented and “offline” networks for covert communication paths and unauthorized bridges through adjacent zones, using network mapping, anomaly detection, and targeted threat‑hunting exercises.
ShadowRelay demonstrates that well‑resourced threat actors continue to invest in modular, extensible frameworks capable of managing both conventional and isolated networks. Organizations in the government and critical infrastructure sectors should go beyond basic perimeter defenses, regularly review their security architecture, enhance monitoring depth, refine detection rules, and train security teams to recognize and respond to this new class of threats. Early identification and eradication of such backdoors significantly reduces the risk of strategic data theft and disruption of mission‑critical business processes.
