Hacking

WSUS Bug Exploited to Push ShadowPad in Real-World Attacks

Published  ·  2 min read

Microsoft may have patched a serious flaw in Windows Server Update Services (WSUS), but attackers didn’t wait long to take advantage of it. Over the past few weeks, security researchers have been watching threat actors break into unpatched servers and quietly push out ShadowPad, a backdoor associated with several Chinese state-linked groups.

According to a report from AhnLab’s security team, the attackers went straight for CVE-2025-59287, a deserialization bug that gives them system-level execution on vulnerable WSUS servers. Once inside, they didn’t use anything fancy. They relied on tools that already exist on every Windows machine, PowerShell, certutil, curl and stitched them together to pull a remote shell using PowerCat. From there, they fetched the ShadowPad payload from an external server and installed it.
ShadowPad itself isn’t new. It’s been circulating since around 2015 and has gradually become one of the go-to backdoors for Chinese espionage groups. It’s modular, flexible, and annoyingly good at hiding. SentinelOne once called it “a masterpiece,” and unfortunately, that description still fits.

In the incident AhnLab studied, the attackers downloaded ShadowPad using a chain of legitimate commands, then used DLL sideloading to slip it into memory. They abused a legitimate executable, ETDCtrlHelper.exe, to load a malicious DLL named ETDApix.dll, which acted as the loader for the backdoor. Once ShadowPad is running, it pulls additional components directly into memory, no obvious files for defenders to trip over  and begins setting up persistence and evasive tricks.

What makes this more concerning is how quickly the exploitation picked up. As soon as proof-of-concept code for the WSUS flaw appeared online, attackers began scanning and compromising exposed servers. Some even used the access to drop legitimate tools like Velociraptor, likely to blend in with routine admin work or gather information for the next stage.AhnLab’s researchers warned that the combination of a remote code execution flaw and a backdoor as capable as ShadowPad gives attackers everything they need to establish long-term control over a Windows environment. Organizations running WSUS should patch immediately and check their logs for unusual downloads initiated by system utilities, especially certutil and curl.

Source : The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067