A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld Staler malware, according to new research from the cybersecurity firm Darktrace.
This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets.
The initial security fix released by Microsoft as part of its October 2025 Patch Tuesday wasn’t completely successful in solving the risk, forcing a second, urgent update (called an out-of-band patch) on October 23. However, even with the updates available, criminals started using the flaw right away, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add the problem to its list of exploited vulnerabilities on October 24.
The Attack Timeline
Darktrace investigated two separate incidents involving US-based customers where this vulnerability was utilised by attackers. The first signs of trouble began on October 24, 2025- the same day CISA added the flaw to its list.
In the initial case, a WSUS server belonging to a firm in the Information and Communication sector began making unusual connections to webhook.site around 3:55 AM. Subsequent communication was seen, with some connections using the common tools PowerShell and cURL.
As we know it, these are legitimate programs, but attackers were misusing them to remotely control the server. By October 26, the device started connecting to rare subdomains of workersdev, a service often abused by hackers.
Further probing revealed the device downloaded a legitimate security tool called Velociraptor. The attackers used a vulnerable version of this tool to create a hidden communication ‘tunnel’ back to their command server. The malicious communication continued into October 27, leading to the possible download of the final payload: a data-stealing program called Skuld Stealer.
This stealer takes sensitive information like crypto wallets, and the attackers aimed to “maintain persistence in enterprise environments, bypassing traditional defences,” according to the Darktrace report shared with Hackread.com
Education Sector Incident
A second, similar attack was detected shortly after the first, impacting a WSUS server within the Education sector. This device also made outgoing connections using PowerShell to webhook.site on October 24.
While Darktrace did not see further network activity, it is worth noting that the customer’s own security system flagged malicious activity on October 27, suggesting the compromise may have continued secretly on the computer.
The research confirms how criminals are “leveraging WSUS to deliver malicious payloads.” Darktrace researchers emphasise that an exploit of this kind can lead to considerable damage, from data theft to a full-scale network compromise.
This chain of events also clearly shows that companies need to be ready to protect against attacks, especially now that criminals are misusing even normal, trusted programs to break in.
