A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad.
“The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” AhnLab Security Intelligence Center (ASEC) said in a report published last week. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.”
ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015. In an analysis published in August 2021, SentinelOne called it a “masterpiece of privately sold malware in Chinese espionage.”
CVE-2025-59287, addressed by Microsoft last month, refers to a critical deserialization flaw in WSUS that could be exploited to achieve remote code execution with system privileges. The vulnerability has since come under heavy exploitation, with threat actors using it to obtain initial access to publicly exposed WSUS instances, conduct reconnaissance, and even drop legitimate tools like Velociraptor.
 |
|
ShadowPad installed via CVE-2025-59287 exploit |
In the attack documented by the South Korean cybersecurity company, the attackers have been found to weaponize the vulnerability to launch Windows utilities like “curl.exe” and “certutil.exe,” to contact an external server (“149.28.78[.]189:42306”) to download and install ShadowPad.
ShadowPad, similar to PlugX, is launched by means of DLL side-loading, leveraging a legitimate binary (“ETDCtrlHelper.exe”) to execute a DLL payload (“ETDApix.dll”), which serves as a memory-resident loader to execute the backdoor.
Once installed, the malware is designed to launch a core module that’s responsible for loading other plugins embedded in the shellcode into memory. It also comes fitted with a variety of anti-detection and persistence techniques.
“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
