Security researchers at Palo Alto Networks Unit 42 have identified a sophisticated fileless malware campaign specifically targeting Windows Active Directory domain controllers. Dubbed "ShadowThread," the malware operates entirely in memory and uses legitimate Windows Management Instrumentation calls to propagate across enterprise networks.
ShadowThread exploits a recently patched vulnerability in Active Directory Certificate Services to gain initial access, then establishes persistence through scheduled tasks disguised as routine system maintenance. Once embedded, it harvests Kerberos tickets for lateral movement.
Organizations are urged to apply Microsoft's April security patches immediately and audit their AD environments for unauthorized certificate requests and anomalous WMI activity.
