Attackers deliver ShadowPad via newly patched WSUS RCE bug – Against Invaders

Attackers deliver ShadowPad via newly patched WSUS RCE bug - Against Invaders

Attackers deliver ShadowPad via newly patched WSUS RCE bug

Attackers exploited a patched WSUS flaw (CVE-2025-59287) to gain access, use PowerCat for a shell, and deploy the ShadowPad malware.

AhnLab SEcurity intelligence Center (ASEC) researchers reported that threat actors exploited a recently patched WSUS flaw (CVE-2025-59287) to deliver the ShadowPad malware.

ShadowPad is a backdoor widely used by China-linked APT groups and privately sold to them. After gaining access to WSUS-enabled servers, the attackers used PowerCat to obtain a system shell, then downloaded and installed ShadowPad via certutil and curl. The researchers detailed the intrusion chain, ShadowPad’s operation, and recommended defenses.

In October, Microsoftreleasedan out-of-band fix forCVE-2025-59287 (CVSS score of 9.8) that is under active exploitation. Researchers MEOW and Markus Wulftange of CODE WHITE GmbH reported the vulnerability.

The flawis a deserialization of untrusted data in Windows Server Update Service that allows an unauthorized attacker to execute code over a network. Remote, unauthenticated attackers can trigger unsafe deserialization of AuthorizationCookie objects in the GetCookie() endpoint, leading to RCE with SYSTEM privileges. The issue stems from insecure BinaryFormatter use, which Microsoft deprecated and removed from .NET 9 in 2024 due to inherent security risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)addedthe flaw to its Known Exploited Vulnerabilities catalog, while Hawktrace researcherspublished a PoCfor this vulnerability.

According to ASEC, attackers exploited the WSUS RCE flaw CVE-2025-59287 to break into Windows Server systems with WSUS enabled. After the PoC dropped, they ran PowerCat to open a remote CMD shell. On November 6th, they used the same flaw again to run curl and certutil, pulled ShadowPad components from a remote server, decoded them, and installed the malware directly onto the system.

“After gaining initial access, the threat actor exploited the same vulnerability on November 6th to execute curl.exe and certutil.exe, which are legitimate Windows utilities, to install the ShadowPad malware.” reads the report.

ShadowPad uses DLL sideloading, not a standalone EXE. In the attack detailed by ASEC, ETDCtrlHelper.exe loads a malicious DLL (ETDApix.dll) that runs the ShadowPad loader in memory, while a .tmp file holds its core backdoor logic. The malware persists under the name Q‑X64, sets scheduled tasks, uses several startup paths, and injects into system processes. It contacts its C2 at 163.61.102[.]245 via HTTP/HTTPS using spoofed Firefox headers.

“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers. This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.” concludes the report.

Organizations using WSUS should patch CVE‑2025‑59287, restrict WSUS access to Microsoft Update servers, block unwanted traffic on ports 8530/8531, and audit for suspicious activity such as PowerShell, certutil, curl usage and abnormal network connections.

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking, CVE‑2025‑59287)

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.