VERY IMPORTANT

A critical vulnerability in Microsoft Windows Server Update Services (CVE-2025-59287) has been exploited to distribute ShadowPad malware. The attack targets Windows Servers with WSUS enabled, using PowerCat for initial access and system shell acquisition. ShadowPad, a backdoor used by Chinese APT groups, is installed using legitimate Windows utilities. The malware operates through DLL sideloading, with its core functionality contained in a .tmp file. Key configuration details include persistence mechanisms, injection targets, and C&C servers. The rapid weaponization of this vulnerability highlights the need for immediate security measures, including applying the latest Microsoft security update, reviewing WSUS server exposure, and auditing for suspicious activity.