In July 2017, Kaspersky Lab researchers discovered that NetSarang Computer’s server management software suite — used by hundreds of large enterprises globally for SSH, telnet, and file transfer management — had been trojanized with ShadowPad, a sophisticated modular backdoor. NetSarang is a South Korean company whose products (Xmanager, Xshell, Xftp, Xlpd) are used by approximately 500,000 enterprise organizations for remote server management. The attackers (attributed to BRONZE ATLAS / Winnti Group, a China-linked APT) compromised NetSarang’s build process and embedded ShadowPad in a legitimately signed .nls library (nssock2.dll) that was distributed as part of the official software update. ShadowPad decrypts a plugin from encrypted strings and connects to command-and-control infrastructure. Kaspersky detected active ShadowPad infections at a Hong Kong financial institution. NetSarang issued an emergency update and software patch on 4 August 2017 — 17 days after the malicious version (Build 1234) was released. Victims included corporations in financial services, pharmaceuticals, telecommunications, and government sectors. The ShadowPad technique was later used in additional supply chain campaigns. The attack predated and inspired similar vendor software compromise techniques, including NotPetya’s MeDoc distribution and later more prominent attacks.