Security researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a sophisticated cyberattack campaign targeting Microsoft Windows Server Update Services (WSUS) infrastructure.
The attackers are exploiting a critical remote code execution vulnerability tracked as CVE-2025-59287 to deploy ShadowPad, a notorious backdoor malware linked to multiple Chinese state-sponsored advanced persistent threat (APT) groups.
On October 14, 2025, Microsoft released a security advisory warning organizations about CVE-2025-59287, a critical vulnerability affecting Windows Servers running the WSUS service.
This vulnerability allows threat actors to achieve remote code execution with system-level privileges on vulnerable servers.
The severity escalated significantly after proof-of-concept (PoC) exploit code became publicly available on October 22, 2025, providing attackers with a ready-made toolkit for exploitation.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-59287 |
| Affected Product | Microsoft Windows Server Update Services (WSUS) |
| Vulnerability Type | Remote Code Execution (RCE) |
| CVSS Score | Critical |
| Exploit Prerequisites | WSUS service activated on Windows Server |
| Impact | Remote code execution with system privileges |
| Patch Status | Security update available from Microsoft |
The vulnerability targets explicitly Windows Server environments with the WSUS service enabled, making it a high-value target for attackers seeking to compromise enterprise networks.
WSUS servers are particularly attractive because they occupy a trusted position within organizational infrastructure, managing security updates for multiple Windows systems across the network.
Initial Access to Malware Deployment
ASEC researchers documented a sophisticated multi-stage attack beginning shortly after the PoC release. The threat actors demonstrated rapid weaponization capabilities, moving from initial access to full malware deployment within weeks.
The attack commenced with the exploitation of CVE-2025-59287 to execute PowerCat, an open-source PowerShell-based networking utility that functions similarly to Netcat.
Through PowerCat, attackers established a command shell connection to the compromised server.
AhnLab’s Smart Defense infrastructure captured PowerShell execution logs showing the attackers downloading PowerCat directly from GitHub and establishing a reverse shell to their command-and-control infrastructure at IP address 154.17.26.41 on port 8080.
Following initial foothold establishment on October 14, 2025, the attackers returned on November 6, 2025, to deploy their primary payload.
They again exploited the same WSUS vulnerability to execute legitimate Windows utilities curl.exe and certutil.exe for malware installation.
This technique, known as “living off the land,” allows attackers to blend malicious activities with normal system operations, evading detection mechanisms that focus solely on unknown executables.
The malware deployed in this campaign is ShadowPad, a modular backdoor first discovered in 2017 and continuously refined since then.
According to security research from SentinelOne, ShadowPad operates as a privately sold malware platform distributed exclusively to Chinese state-backed APT groups, making it a hallmark of sophisticated nation-state espionage operations.
ShadowPad rarely functions as a standalone executable. Instead, it employs DLL side-loading techniques, hijacking legitimate Windows processes to execute malicious code while avoiding detection.
In this campaign, the attackers utilized a three-component system: ETDCtrlHelper.exe (a legitimate executable), ETDApix.dll (the malicious loader), and 0C137A80.tmp (containing the core backdoor functionality and configuration data).
When the legitimate ETDCtrlHelper.exe executes, it loads the malicious ETDApix.dll, which operates entirely in memory to avoid disk-based detection.
The malware establishes persistence through multiple mechanisms including Windows Registry modifications, scheduled tasks, and service creation, all configured under the identifier “Q-X64.”
The backdoor communicates with command-and-control servers at 163.61.102.245 via both HTTP and HTTPS on port 443, using legitimate-looking Firefox browser user-agent strings to blend with normal web traffic.
The configuration includes multiple injection target processes such as Windows Mail, Windows Media Player, and svchost.exe, providing attackers with various options for maintaining stealth within compromised systems.
The backdoor communicates with command-and-control servers at 163.61.102.245 via both HTTP and HTTPS on port 443, using legitimate-looking Firefox browser user-agent strings to blend with normal web traffic.
The configuration includes multiple injection target processes such as Windows Mail, Windows Media Player, and svchost.exe, providing attackers with various options for maintaining stealth within compromised systems.
Organizations running WSUS infrastructure face significant risk and should prioritize immediate remediation.
Security teams must apply Microsoft security update addressing CVE-2025-59287 without delay.
Additionally, administrators should audit WSUS server exposure, ensuring only Microsoft Update servers can access WSUS services while blocking inbound traffic on TCP ports 8530 and 8531 from all other sources.
Threat hunting activities should focus on identifying suspicious PowerShell execution, particularly involving certutil.exe and curl.exe, as well as network connections to the identified command-and-control infrastructure.
The rapid exploitation timeline following PoC publication demonstrates that threat actors actively monitor vulnerability disclosures and quickly incorporate them into ongoing campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.