A sophisticated cyberattack campaign is actively deploying the ShadowPad backdoor by exploiting a vulnerability in Microsoft’s Windows Server Update Services (WSUS). The objective of this operation is to gain full, persistent system access within targeted enterprise and government networks.

Threat actors are compromising WSUS servers to act as an internal distribution point for malware. By abusing the trusted relationship between a WSUS server and its client endpoints, attackers push malicious updates that install the ShadowPad malware, bypassing standard network perimeter defenses.

Attack Vector: Abusing the Update Mechanism

The attack chain begins with the compromise of a network’s WSUS server. Once attackers gain control, they manipulate the update process to deliver a custom, malicious update package to connected workstations and servers. This fraudulent update masquerades as a legitimate software patch from Microsoft.

Client machines configured to receive updates from the compromised WSUS server automatically download and execute the payload. This process occurs with system-level privileges, which provides the ShadowPad malware with immediate and deep-rooted access to the infected system. This method ensures a wide and rapid infection spread within a trusted corporate network.

ShadowPad Malware Capabilities

ShadowPad is a modular backdoor historically associated with state-sponsored threat actors. Its design allows operators to deploy a wide range of plugins to perform specific malicious actions based on their objectives. Core capabilities observed in this campaign include remote command execution, file uploading and downloading, and process manipulation.

The malware establishes a covert command-and-control (C2) channel to receive instructions and exfiltrate stolen data. Its deployment through the WSUS mechanism demonstrates the attackers’ focus on stealth, persistence, and long-term espionage objectives within compromised environments.

Source: https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html