Threat Advisories:
CVE-2025-61757: Oracle Identity Manager Pre-Auth RCE Under Active Attack ShadowPad Gatecrashes the Enterprise by Hijacking WSUS Vulnerability Shai-Hulud 2.0 Fuels Global NPM Supply-Chain Compromise StealC V2 Spreads via Malicious Blender Files The Windows Update Deception: How ClickFix Lures Unleash Stealthy Stealers Cl0p Ransomware Surge 2025: Operational Patterns and Key Mitigations ShadowRay Strikes Back: Inside the Multi-Purpose Ray Cluster Takeover November 2025 Linux Patch Roundup CVE-2025-11001 Turns a Simple Unzip into a System-Level Ambush CVE-2025-55241: Critical Cross-Tenant Privilege Escalation in Microsoft Entra ID TamperedChef: A High-Severity Multi-Stage Infostealer Operation Eternidade Stealer: Brazil’s New WhatsApp-Driven Cybercrime Engine Gh0st RAT Multi-Campaign Delivery Surge Targets Chinese Speakers FortiWeb Flaw Exploited in the Wild: Patch Immediately Google Patches High-Risk V8 Zero-Day Hitting Chrome Users FortiWeb Hijack: The Hidden Vulnerability Fueling Admin Account Creation Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense Threat Actors Turn RMM Tools into Backdoor Gateways CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare Microsoft’s November 2025 Patch Tuesday Roundup
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

ShadowPad Gatecrashes the Enterprise by Hijacking WSUS Vulnerability

Red | Attack Report
Download PDF

Summary

CVE-2025-59287 represents a critical vulnerability in Microsoft Windows Server Update Services (WSUS) that was rapidly weaponized by threat actors following public proof-of-concept release, enabling the deployment of the ShadowPad backdoor associated with Chinese state-aligned APT groups. This WSUS vulnerability attack commenced on November 6, 2025, targeting Windows Server environments worldwide and demonstrating the dangerous convergence of critical infrastructure vulnerabilities with advanced persistent threat malware capabilities. The CVE-2025-59287 exploitation involves a sophisticated multi-stage attack chain beginning with WSUS server compromise, followed by PowerCat deployment for reverse shell access, and culminating in ShadowPad backdoor installation using living-off-the-land techniques. The ShadowPad malware, first discovered in 2017, is a modular backdoor privately sold to multiple Chinese state-backed APT groups and consistently deployed in long-term espionage operations. The rapid weaponization of CVE-2025-59287 combined with the trusted role of WSUS servers in enterprise environments creates severe risks for lateral movement, sustained access, and data exfiltration across Windows infrastructure. Organizations must immediately apply Microsoft security updates, harden WSUS access controls, and deploy enhanced endpoint detection capabilities to defend against this critical WSUS vulnerability and ShadowPad backdoor threat.

Attack Details

CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), transitioned rapidly from disclosure to active exploitation, serving as the initial attack vector for deploying the ShadowPad backdoor malware. ShadowPad, a sophisticated modular backdoor first identified in 2017, is privately sold malware used by multiple Chinese state-backed APT groups for long-term espionage operations. The vulnerability exploitation demonstrates how critical infrastructure components like WSUS servers can be leveraged by advanced persistent threats to establish persistent access across enterprise Windows environments.

Threat actors began weaponizing CVE-2025-59287 within days of public proof-of-concept code release, specifically targeting enterprise WSUS environments to maximize attack impact. WSUS servers manage update distribution for large numbers of Windows systems throughout enterprise networks, making their compromise an ideal foothold for lateral movement and sustained network access. The trusted role of WSUS infrastructure in Windows environments allows attackers to leverage compromised servers for widespread malware distribution while evading detection through legitimate update channels.

The CVE-2025-59287 exploitation follows a structured, multi-stage attack process designed to establish persistent backdoor access. Attackers begin by exploiting the WSUS vulnerability to obtain initial access to the target server. After achieving entry, threat actors deploy PowerCat, a PowerShell-based implementation of Netcat, by downloading it from GitHub and establishing a reverse shell connection to attacker-controlled infrastructure. This reverse shell grants direct command execution capabilities on the compromised WSUS server, enabling subsequent malware deployment and lateral movement activities.

The malware deployment phase leverages living-off-the-land techniques, relying on built-in Windows tools to retrieve and decode ShadowPad components from remote hosts controlled by the attackers. This approach allows threat actors to minimize detection by security tools while establishing persistent backdoor access through the modular ShadowPad malware framework. The overall risk of this CVE-2025-59287 attack is significantly heightened by the combination of a critical vulnerability affecting trusted infrastructure, active exploitation by Chinese state-sponsored APT groups, public availability of exploit code, the inherently trusted role of WSUS servers in Windows environments, and the advanced persistence and evasion features embedded within the ShadowPad backdoor malware.

Recommendations

Organizations must immediately conduct exposure assessment and patch deployment for CVE-2025-59287 by identifying all Windows Server systems running WSUS services. Prioritize WSUS servers reachable from external networks for immediate patching and apply Microsoft’s security update for CVE-2025-59287 without delay. The critical nature of this WSUS vulnerability combined with active ShadowPad backdoor deployment requires urgent remediation across all exposed Windows Server Update Services infrastructure.

Implement comprehensive WSUS hardening and access control measures to prevent CVE-2025-59287 exploitation and unauthorized access. Enforce strict access controls limiting WSUS server communication exclusively to Microsoft Update endpoints and authorized internal systems. Block unauthorized inbound traffic on TCP ports 8530 and 8531 used by WSUS services, and deploy application whitelisting to prevent execution of unapproved binaries and DLLs on critical Windows Server systems. These hardening measures significantly reduce the attack surface for WSUS vulnerability exploitation and ShadowPad backdoor deployment.

Deploy enhanced endpoint and network defense capabilities tuned specifically to detect ShadowPad backdoor indicators and CVE-2025-59287 exploitation attempts. Configure endpoint detection and response tools to identify DLL sideloading and process injection techniques commonly used in ShadowPad malware deployment. Monitor for suspicious persistence methods including services, scheduled tasks, and registry entries referencing “Q-X64” or related ShadowPad identifiers. Implement network traffic inspection to detect command-and-control activity disguised with spoofed browser user-agent strings characteristic of ShadowPad backdoor communications. These defensive measures enable early detection of CVE-2025-59287 exploitation and ShadowPad deployment before attackers can establish persistent access across Windows infrastructure.

Indicators of Compromise (IoCs)

MD5 Hashes:

  • 27e00b5594530e8c5e004098eef2ec50
  • 564e7d39a9b6da3cf0da3373351ac717
  • 85b935e80e84dd47e0fa5e1dfb2c16f4
  • f7d8c52bec79e42795cf15888b85cbad

SHA256 Hashes:

  • d429934b06de67c156dc559b33c34db5e02bc56ac2c1cd45ee03e6a21cf003af
  • 3a47e690c47e050125fec16b53ccbbbf722557675f838e5a0fbc1ba1de4ee162

URLs:

  • hxxp[:]//149[.]28[.]78[.]189[:]42306/tmp[.]txt
  • hxxp[:]//149[.]28[.]78[.]189[:]42306/dll[.]txt
  • hxxp[:]//149[.]28[.]78[.]189[:]42306/exe[.]txt
  • hxxp[:]//163[.]61[.]102[.]245[:]443
  • hxxps[:]//163[.]61[.]102[.]245[:]443

Filenames:

  • ETDApix.dll
  • ETDCtrlHelper.exe
  • 0C137A80.tmp

File Paths:

  • C:\users%ASD%\tmp.txt
  • C:\users%ASD%\dll.txt
  • C:\users%ASD%\exe.txt
  • C:\programdata\0C137A80.tmp

IPv4 Addresses:

  • 154[.]17[.]26[.]41
  • 149[.]28[.]78[.]189
  • 163[.]61[.]102[.]245

Mutex:

  • Q-X64

MITRE ATT&CK TTPs

Initial Access:

  • T1190: Exploit Public-Facing Application

Execution:

  • T1059.001: PowerShell

Persistence:

  • T1053: Scheduled Task/Job
  • T1053.005: Scheduled Task
  • T1543: Create or Modify System Process
  • T1543.003: Windows Service

Privilege Escalation:

  • T1574: Hijack Execution Flow
  • T1574.001: DLL Side-Loading

Defense Evasion:

  • T1027: Obfuscated Files or Information
  • T1055: Process Injection
  • T1112: Modify Registry
  • T1140: Deobfuscate/Decode Files or Information
  • T1218: System Binary Proxy Execution

Discovery:

  • (No specific techniques listed)

Command and Control:

  • T1071: Application Layer Protocol
  • T1071.001: Web Protocols

Resource Development:

  • T1588: Obtain Capabilities
  • T1588.006: Vulnerabilities

Lateral Movement:

  • T1105: Ingress Tool Transfer

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox