A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad.
“The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” AhnLab Security Intelligence Center (ASEC) said in a report published last week. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.”
ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015. In an analysis published in August 2021, SentinelOne called it a “masterpiece of privately sold malware in Chinese espionage.”
CVE-2025-59287, addressed by Microsoft last month, refers to a critical deserialization flaw in WSUS that could be exploited to achieve remote code execution with system privileges. The vulnerability has since come under heavy exploitation, with threat actors using it to obtain initial access to publicly exposed WSUS instances, conduct reconnaissance, and even drop legitimate tools like Velociraptor.
|
ShadowPad installed via CVE-2025-59287 exploit |
In the attack documented by the South Korean cybersecurity company, the attackers have been found to weaponize the vulnerability to launch Windows utilities like “curl.exe” and “certutil.exe,” to contact an external server (“149.28.78[.]189:42306”) to download and install ShadowPad.
ShadowPad, similar to PlugX, is launched by means of DLL side-loading, leveraging a legitimate binary (“ETDCtrlHelper.exe”) to execute a DLL payload (“ETDApix.dll”), which serves as a memory-resident loader to execute the backdoor.
Once installed, the malware is designed to launch a core module that’s responsible for loading other plugins embedded in the shellcode into memory. It also comes fitted with a variety of anti-detection and persistence techniques. The activity has not been attributed to any known threat actor or group.
“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”
