Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShadowPad malware deployed via WSUS exploitation

Malware Activity
First reported
Last updated
Happening score
H score 47
1 unique sources, 1 articles

Summary

Hide ▲

ShadowPad was downloaded and installed on Windows Server WSUS systems after attackers exploited CVE-2025-59287, extending the impact of the flaw beyond initial access to persistent backdoor deployment. The malware matters because it adds modular backdoor capabilities, including persistence and anti-detection features, to compromised servers. Attackers used PowerCat, certutil.exe, and curl.exe to retrieve and stage the payload.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

Fake Claude PlugX phishing campaign

Campaign
First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Open Happening

Python-based malware deployment with XWorm and Cobalt Strike tooling

Malware Activity
First: 23.02.2026 17:30 Last: 23.02.2026 17:30 Sources 1

About this happening: A **Python-based malware deployment** was uncovered on a **compromised Windows system**, exposing persistence, obfuscation, and credential-theft activity tied to **PayPal abuse**...

Open Happening

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

Timeline

  1. 24.11.2025 09:18 2 articles · 6mo ago

    ShadowPad deployed via WSUS exploitation

    Technical Analysis Update

    Threat actors exploited CVE-2025-59287 on WSUS-enabled Windows servers to obtain initial access, used PowerCat to get a CMD shell, and then downloaded and installed ShadowPad with certutil.exe and curl.exe from 149.28.78[.]189:42306, with DLL side-loading through ETDCtrlHelper.exe and ETDApix.dll.

    Show sources
    Open in new tab