Ethical Hacking News
Recently, a critical Remote Code Execution (RCE) bug was discovered in the Windows Server Update Service (WSUS), allowing attackers to gain access to Windows Server systems with WSUS enabled. The vulnerability, identified as CVE-2025-59287, was added to the United States Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog in October 2025. According to research by AhnLab Security Intelligence Center (ASEC), attackers exploited this bug to deliver the ShadowPad malware, a backdoor widely used by China-linked Advanced Persistent Threat (APT) groups and privately sold to them. The incident highlights the need for timely patching and robust security measures to prevent similar incidents in the future.
The ShadowPad malware was delivered via a newly patched Windows Server Update Service (WSUS) Remote Code Execution (RCE) bug, identified as CVE-2025-59287. The RCE bug allows an unauthorized attacker to execute code over a network with SYSTEM privileges. Attackers exploited the WSUS RCE flaw to break into Windows Server systems and install ShadowPad malware. ShadowPad uses DLL sideloading to persist in systems and evade detection. The use of ShadowPad by China-linked APT groups is a significant threat assessment for organizations using Windows Server systems with WSUS enabled. Organizations should patch CVE-2025-59287, restrict WSUS access, block unwanted traffic, and audit for suspicious activity to prevent similar incidents.
ShadowPad, a backdoor widely used by China-linked Advanced Persistent Threat (APT) groups and privately sold to them, has been delivered via a newly patched Windows Server Update Service (WSUS) Remote Code Execution (RCE) bug. The vulnerability, identified as CVE-2025-59287, was added to the United States Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog in October 2025.
The RCE bug is a deserialization of untrusted data in Windows Server Update Service that allows an unauthorized attacker to execute code over a network. Remote, unauthenticated attackers can trigger unsafe deserialization of AuthorizationCookie objects in the GetCookie() endpoint, leading to RCE with SYSTEM privileges. The issue stems from insecure BinaryFormatter use, which Microsoft deprecated and removed from .NET 9 in 2024 due to inherent security risks.
According to research by AhnLab Security Intelligence Center (ASEC), attackers exploited the WSUS RCE flaw CVE-2025-59287 to break into Windows Server systems with WSUS enabled. After gaining initial access, the threat actor exploited the same vulnerability on November 6th to execute curl.exe and certutil.exe, which are legitimate Windows utilities, to install the ShadowPad malware.
The ShadowPad malware uses DLL sideloading, not a standalone EXE. In the attack detailed by ASEC, ETDCtrlHelper.exe loads a malicious DLL (ETDApix.dll) that runs the ShadowPad loader in memory, while a .tmp file holds its core backdoor logic. The malware persists under the name Q‚ÄëX64, sets scheduled tasks, uses several startup paths, and injects into system processes. It contacts its Command and Control (C2) at 163.61.102[.]245 via HTTP/HTTPS using spoofed Firefox headers.
The use of ShadowPad by China-linked APT groups has been documented in previous incidents. The malware is known for its persistence and ability to evade detection. In this latest incident, the attackers took advantage of the newly patched WSUS RCE bug to gain access to Windows Server systems, use PowerCat for a shell, and deploy the ShadowPad malware.
Microsoft released an out-of-band fix for CVE-2025-59287 in October 2025, which is under active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog, while Hawktrace researchers published a Proof of Concept (PoC) for this vulnerability.
Organizations using WSUS should patch CVE-2025-59287, restrict WSUS access to Microsoft Update servers, block unwanted traffic on ports 8530/8531, and audit for suspicious activity such as PowerShell, certutil, curl usage, and abnormal network connections.
In conclusion, the delivery of ShadowPad via a newly patched WSUS RCE bug is a significant threat assessment for organizations using Windows Server systems with WSUS enabled. The use of this vulnerability by China-linked APT groups highlights the need for timely patching and robust security measures to prevent similar incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/ShadowPad-Malware-Delivered-via-Newly-Patched-WSUS-RCE-Bug-A-Global-Threat-Assessment-ehn.shtml
https://securityaffairs.com/185007/malware/attackers-deliver-shadowpad-via-newly-patched-wsus-rce-bug.html
https://medium.com/aardvark-infinity/comprehensive-list-of-known-chinese-advanced-persistent-threat-apt-groups-f17c45c78a65
https://thehackernews.com/2025/03/china-linked-apt-aquatic-panda-10-month.html
https://thehackernews.com/2024/08/apt41-hackers-use-shadowpad-cobalt.html
https://hackerseye.com/dynamic-resources-list/tales-from-the-shadow-apt-41-injecting-shadowpad-with-sideloading/
Published: Mon Nov 24 08:30:20 2025 by llama3.2 3B Q4_K_M
