Nov 24, 2025Ravie LakshmananMalware / Vulnerability
A just lately patched safety flaw in Microsoft Home windows Server Replace Providers (WSUS) has been exploited by menace actors to distribute malware referred to as ShadowPad.
“The attacker focused Home windows Servers with WSUS enabled, exploiting CVE-2025-59287 for preliminary entry,” AhnLab Safety Intelligence Middle (ASEC) mentioned in a report printed final week. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to acquire a system shell (CMD). Subsequently, they downloaded and put in ShadowPad utilizing certutil and curl.”
ShadowPad, assessed to be a successor to PlugX, is a modular backdoor broadly utilized by Chinese language state-sponsored hacking teams. It first emerged in 2015. In an evaluation printed in August 2021, SentinelOne known as it a “masterpiece of privately offered malware in Chinese language espionage.”
CVE-2025-59287, addressed by Microsoft final month, refers to a important deserialization flaw in WSUS that could possibly be exploited to attain distant code execution with system privileges. The vulnerability has since come beneath heavy exploitation, with menace actors utilizing it to acquire preliminary entry to publicly uncovered WSUS situations, conduct reconnaissance, and even drop reputable instruments like Velociraptor.
ShadowPad put in through CVE-2025-59287 exploit
Within the assault documented by the South Korean cybersecurity firm, the attackers have been discovered to weaponize the vulnerability to launch Home windows utilities like “curl.exe” and “certutil.exe,” to contact an exterior server (“149.28.78[.]189:42306”) to obtain and set up ShadowPad.
ShadowPad, much like PlugX, is launched by the use of DLL side-loading, leveraging a reputable binary (“ETDCtrlHelper.exe”) to execute a DLL payload (“ETDApix.dll”), which serves as a memory-resident loader to execute the backdoor.
As soon as put in, the malware is designed to launch a core module that is accountable for loading different plugins embedded within the shellcode into reminiscence. It additionally comes fitted with quite a lot of anti-detection and persistence strategies.
“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly launched, attackers rapidly weaponized it to distribute ShadowPad malware through WSUS servers,” AhnLab mentioned. “This vulnerability is important as a result of it permits distant code execution with system-level permission, considerably growing the potential affect.”
