ScatterBrain
ScatterBrain is an obfuscation mechanism used to protect malware payloads, rather than a standalone malware family. In the provided reporting, it is repeatedly observed wrapping ShadowPad samples and is described as an evolution of the earlier ScatterBee obfuscation mechanism. SentinelLABS reported recovering ShadowPad samples obfuscated with ScatterBrain, including a variant used in a June 2024 intrusion against a South Asian government entity and in broader activity affecting more than 70 organizations globally between July 2024 and March 2025. The victim set spanned manufacturing, government, finance, telecommunications, and research, and one identified victim was an IT services and logistics company managing hardware logistics for SentinelOne employees. The associated intrusions were attributed with high confidence to China-nexus threat actors, with reporting noting links to APT41 through Google Threat Intelligence Group’s attribution of ScatterBrain-obfuscated ShadowPad since 2022, and broader overlap in related campaigns with clusters associated with APT15 and UNC5174. In the cited activity, ScatterBrain-obfuscated ShadowPad was associated with cyberespionage operations and, in overlapping campaigns, with ShadowPad activity that delivered NailaoLocker after exploitation of Check Point gateway devices. High-confidence behavior directly mentioned in the content is limited to its role in obfuscating ShadowPad; no independent infection vector, persistence mechanism, or command-and-control behavior for ScatterBrain itself is described.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"ShadowPad malware, obfuscated with ScatterBrain and linked to Chinese APT41..."
"Using advanced malware like ShadowPad, often obfuscated with ScatterBrain"
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An obfuscation framework/technique used to hinder analysis and detection; here it is used to obfuscate a ShadowPad sample and is associated (per Google) with activity linked to APT41.
ScatterBrain is an obfuscation mechanism (evolved from ScatterBee) used to protect malware such as ShadowPad from detection and analysis. It alters control flow, uses dispatcher routines, and employs opaque predicates to hinder reverse engineering.
An obfuscation framework used to conceal payloads (here, ShadowPad), complicating static and dynamic analysis.
An obfuscation/protection layer used to conceal malware (noted here specifically in conjunction with ShadowPad).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.