{"id":225824,"date":"2025-11-25T01:22:33","date_gmt":"2025-11-25T07:22:33","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/11\/shadowpad-malware-actively-exploits-wsus-vulnerability-for-full-system-access"},"modified":"2025-11-25T01:22:33","modified_gmt":"2025-11-25T07:22:33","slug":"shadowpad-malware-actively-exploits-wsus-vulnerability-for-full-system-access","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/11\/shadowpad-malware-actively-exploits-wsus-vulnerability-for-full-system-access","title":{"rendered":"ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/shadowpad-malware-actively-exploits-wsus-vulnerability-for-full-system-access.jpg\"><\/a><\/p>\n<p>Once installed, the malware is designed to launch a core module that\u2019s responsible for loading other plugins embedded in the shellcode into memory. It also comes fitted with a variety of anti-detection and persistence techniques. The activity has not been attributed to any known threat actor or group.<\/p>\n<p>\u201cAfter the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,\u201d AhnLab said. \u201cThis vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.\u201d<\/p>\n<p>Found this article interesting? Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Once installed, the malware is designed to launch a core module that\u2019s responsible for loading other plugins embedded in the shellcode into memory. It also comes fitted with a variety of anti-detection and persistence techniques. The activity has not been attributed to any known threat actor or group. \u201cAfter the proof-of-concept (PoC) exploit code for [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-225824","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/225824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=225824"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/225824\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=225824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=225824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=225824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}