The Nightmare Before Halloween: WSUS CVE-2025-59287 - Observing Post-Exploitations & Velociraptor C2
- stagingppln
- Nov 8
- 7 min read
Updated: Nov 24
Author(s): Reyben T. Cortes, Md. Azim Uddin, Abdullah Al Mamun
POST /ReportingWebService/ReportingWebService.asmx HTTP/1.1
Host: [redacted]:8530
User-Agent: Windows-Update-Agent
Content-Length: 5244
Accept: text/xml
Connection: Keep-Alive
Content-Type: text/xml
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/ReportEventBatch"
Accept-Encoding: gzip
Connection: closeFigure 0: HTTP POST Request ReportingWebService[.]asmx
Trick or Treat! It's the nightmare before Halloween, it's a Friday you received alerts of suspicious Windows API services attempting to execute malicious binaries. Spoiler alert, it came from parent process WsuserviceEXE. This scenario became our reality late October 2025 when we observed an attacker conducting sophisticated post-exploitation activities consistent with WSUS CVE-2025-59287 involving China-nexus actors using the same encoded binary payload for dropping V2[.]MSI packaged as a malicious Velociraptor C2. In this case, instead of exploiting SAP Netweaver CVE-2025-31324, the attackers are using Velociraptor for post-exploitation. The attack chain mirrors patterns recently documented by Darktrace, which led us to investigate the malicious payload.
![Figure 1: Services[.]exe > Velociraptor C2 > MSIInstall > V3[.]MSI](https://static.wixstatic.com/media/e72e96_b6d2dfccc3bc49648357a677a0b91401~mv2.png/v1/fill/w_980,h_299,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/e72e96_b6d2dfccc3bc49648357a677a0b91401~mv2.png)
In Figure 1, a decoded binary executes a multi-staged payload chain with interesting persistence mechanisms and sophisticated masquerading/hiding techniques. Using the Windows API service, these requests malicious payloads from several staging addresses (redacted) and rename malicious binaries multiple times via services.exe. The actor implements defense evasion tactics using the exclusion parameter modified via Add -MpPreference across several directories containing the possible Velociraptor C2 binary acting against (MDAV) antivirus detection. In addition, the target paths below add a layer of evasion by hiding malicious artifacts not normally scanned by antivirus engines from the following directory paths.
C:\ProgramData\Microsoft\Windows\WER\services.exe
C:\ProgramData\Microsoft\Windows\Templates\services.exe
C:\ProgramData\Microsoft\Windows\WER\JavaCore.sys
Interestingly, both executables here are renamed with the same filename services.exe intended to confuse antivirus scans even further after the exclusions. While at the same time contain two completely different binaries, one in the Templates directory as the service installation wrapper. In staging address below shows the original filename of the malicious binaries before being renamed post-ingress tool transfer to questionable file extensions, such as JavacoreSYS, masquerading as a legitimate Java driver system.
http://130.185.118[.]247:9090/tomcaterror[.]bmpgq
http://130.185.118.247[:]9090/nosm[.]exe
http://130.185.118[.]247:9090/lisence[.]shm
The nosmEXE binary acting as the service installation wrapper is also renamed with a typo. However, further analysis indicate that this is a legitimate Windows open-source tool known as NSSM (Non-Sucking Service Manager) which the actor used to wrap the malicious executables as a legitimate Windows service background, as shown in Figure 2. This is interesting to note as the tool allows you to masqeurade malicious executables as a Windows service and implement persistence mechanisms.
Figure 2: nssm monitors the running service and will restart it if it dies
As this unloads the variable $ErrorActionPreference ran several times as part of its evasion tactics by ignoring process interrupts and suppressing errors that may have occured during the installation. This will also allow malicious executions that would have otherwise been terminated if a user logged off the system or any remote C2 connections using the uniquely chosen parameter.
$ErrorActionPreference = 'silentlycontinue'
Additionally, these will look entirely different from face value perspective because of the masquerading techniques that order the malicious nssm service installation to appear as "MSIInstall Service" in process, with additional description to try and appear legit as shown below.
set "MSIInstall service" DisplayName "MSIInstall service" | Out-Null
set "MSIInstall service" Description "Manages profiles and accounts on a SharedPC configured device"
Last but not least, the use of file attribute manipulation and service permission obfuscation was the most interesting segment that we observed from this actor highlighting a deep-level understanding of the Windows API services manipulating target directories with uniquely chosen parameters. The attributes below render the binaries in these directories invincible against casual inspection. In addition, this will make it much harder for incident response services due to the modification in DACL - Discretionary Access Controls in the directory permissions using the service security descriptor A.K.A SSDL (Security Description Definition Language).
+s (System attribute) - Marks file as system file
+h (Hidden attribute) - Hides from default directory listings
+r (Read-only) - Prevents accidental modification/deletion
+a (Archive attribute) - Marks for backup operations
D;DCLCWPDTSD;;;BA - Denies specific permissions to Built-in Administrator
A;;CCLCSWLOCRRC;;;IU - Permits limited permissions to Interactive Users
(A;;CCLCSWLOCRRC;;;SU) - Limited Permissions to Service Users
Observing how much level of care was executed throughout the entire process to make this initial infection look benign from the top and bottom. We assumed this activity to the likes of an APT-level actor from China that has exploited a similar execution chain to a previous zero-day vulnerability from SAP Netweaver CVE-2025-31324. The activity highlighted by Darktrace that we assumed has a connection with this initial infection payload serviceEXE containing the Velociraptor C2 binary is included. These additional findings from our research of the unreported V3[.]MSI executable we share for actionable threat-informed defense to network defenders.
In conclusion, to better defend against this attack, it is critical for defenders to enable script blocking logging to capture suppressed errors and enable defender exclusion monitoring as well as looking out for extreme granular commands to file attribute manipulations caused by abusing the SSDL - (Security Description Definition Language). As we are nearing to the end of 2025 it has been a wild ride of constant ITW - (in-the-wide) exploits of zero-day vulnerabilities, yet despite the constant AI buzzwords and security promises you hear in this industry it seems as if nothing has really changed. Hint, there is a reason why and they all come back to understanding the basics but that's another topic for another article, stay tuned!
MITRE ATT&CK Mapping
Post-exploitation & payload mapped to MITRE ID Sub-techniques
T1595.002 - Vulnerability Scanning | |
T1190 - Exploit Public Facing | |
T1132.001 - Standard Encoding | |
T1059.001 - Powershell Execution | |
T1562.001 - Impair Defenses Antivirus | |
T1564.012 - Hide Artifacts | |
T1564.011 - Ignore Process Interrupts | |
T1218.007 - System Binary Proxy Executions | |
T1222.001 - Window File & Directory Permissions Modification | |
T1564.011 - Ignore Process Interrupts |
Indicators & C2 domains
Initial Payload Infection Chain & Velociraptor C2
Indicator | Type | Note |
129.153.98.207 | IPV4 | CVE-2025-59287 |
177.93.11.110 | IPV4 | CVE-2025-59287 |
130.185.118.247 | IPV4 | Staging Address |
134.122.38.84 | IPV4 | Staging Address |
130.185.118.247:9090/tomcaterror.bmppop | Domain | Staging Domain |
130.185.118.247:9090/lisence.shm | Domain | Staging Domain |
130.185.118.247:9090/nssm.exe | Domain | Staging Domain |
8b3d49e328ddc0d9ec08789e3db2f5c3da54d04efdaa746f4e68858448d5e5de | SHA256 | V3[.]MSI - Velociraptor C2 binary |
e112df7c7848d9315e07f87c0b7e9728d100dfed40c2cf3fcab44ed9b00e9f00 | SHA256 | CVE-2025-59287 |
1c1ffb90cb15425132bfcfc33110466b1025c98c596b1d41ecd615baeacd64c7 | SHA256 | PS1 Payload |
80d42c4f185f71b2100f946557136e8dc8e519acc531a8f0a5a416fd97efd49a | SHA256 | PS1 Payload |
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97 | SHA256 | nssm.exe |
763dada763449617ef33d2fa9131a6f67e6bd83cc72c830bc648f8c134312083 | SHA256 | javacore[.]sys |
07e3b08872d3e6f4849a3621937b2af4522c7c09a682d2391387c49a2fbcb402 | SHA256 | PS1 Payload |
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | SH256 | Vulnerable driver |
91f71f655004eb5e2783a98f7556c5e0e58d4f438fd5d2dcdf9e522735cf09b9 | SHA256 | Miner |
946a87060e52f18074546993c20809b665797dd5b4907445e850b910d3988467 | SHa256 | PS1 Payload |
Post-Exploitation Activity Analysis Summary
Stage 1: Initial Access (T1190 - Exploit Public-Facing Application)
Unauthenticated exploitation of CVE-2025-59287
Remote code execution achieved within compromised WSUS service context
Execution with SYSTEM-level privileges
Stage 2: Reconnaissance & Enumeration
PowerShell-based network enumeration
System information gathering via custom scripts
Data exfiltration to webhook[.]site for attacker validation
Stage 3: Payload Delivery
MSI installer deployment (v3.msi)
Cabinet file extraction (Sample[.]cab, part2[.]cab)
Velociraptor DFIR tool deployment
Stage 4: C2 Establishment
Cloudflare Workers infrastructure abuse
Velociraptor configured as encrypted tunnel
Persistent beaconing to attacker-controlled infrastructure
Stage 5: Post-Compromise Activities
Skuld Stealer deployment for credential harvesting
Browser data and cryptocurrency wallet exfiltration
Preparation for lateral movement
Cloudflare Workers Abuse Pattern
Threat actors consistently leverage Cloudflare Workers for C2 infrastructure due to:
Difficulty in blocking (legitimate CDN service)
Dynamic subdomain generation
SSL/TLS encryption by default
Low cost and rapid deployment
Minimal registration requirements
Observed Indicators:
royal-boat-bf05.qgtxtebl.workers[.]dev - MSI payload hosting
chat.hcqhajfv.workers[.]dev - Velociraptor C2 server
HTTP POST-based command delivery
Medium-period beaconing (15-30 minute intervals)
Asia-Pacific WSUS Attack Surface Landscape
If we look into Japan in the APAC region, the high concentration of technology manufacturing causes 75 endpoints to be detected in this region.
Fig.: Japan has 75 endpoints
But in the Asia region, we see more attack surfaces are discovered, like 34.37% from South Korea and 32.13% from China.
and the rest are in minimal ratio, where Hong Kong, India, and Singapore also lead.
Our analysis of internet-facing WSUS servers across the Asia-Pacific region reveals a concentration of exposure in economically developed nations with mature IT infrastructure:
Country | Count of Hosts | Percentage of APAC Exposure |
South Korea | 551 | 34.37% |
China | 515 | 32.13% |
Hong Kong | 85 | 5.30% |
India | 84 | 5.24% |
Japan | 74 | 4.62% |
Singapore | 52 | 3.24% |
Other countries | 234 | 15.1% |
Figure 1: Asia-Pacific WSUS Exposure Distribution There have been many cases why Asia is a geopolitical factor: high concentration of technology manufacturing and R&D, critical infrastructure interconnectedness, target-rich environment for state-sponsored actors, and intellectual property theft motivations. Besides some technical factors: legacy Windows Server deployments, patch management challenges in distributed environments, limited security operations center (SOC) maturity in the SME sector, and language barriers in security advisory comprehension. However, South Korea's significant exposure (34.37%) correlates with advanced semiconductor and electronics industries and high-density data center infrastructure. China also has significant exposure (32.13%) with massive enterprise IT infrastructure scale and state-owned enterprise (SOE) WSUS deployments.
Sector-Specific Exposure Patterns
Analysis of autonomous system numbers (ASNs) and organizational identifiers reveals vulnerability concentration in:
High-Risk Sectors:
Education: Universities and research institutions (1.5% of exposure)
Government: Municipal and provincial infrastructure (2.1%)
Telecommunications: Service providers and ISPs (74.7%)
Financial Services: Banking and fintech infrastructure (1.2%)
Manufacturing: Industrial and technology companies (0.5%)
Technical Configuration Analysis
Port Distribution:
Port 8530 (HTTP): 100% of identified instances
Port 8531 (HTTPS): 8.76% of identified instances
Critical Finding: Approximately all of the exposed WSUS servers utilize unencrypted HTTP connections (port 8530), significantly increasing the risk of man-in-the-middle attacks and credential interception. Critical Service Analysis
Overall, the exposure landscape shows a clear concentration of risk around identity and access pathways, with remote access and login interfaces representing the majority of externally visible entry points. This pattern indicates that attackers would face relatively few barriers in identifying exploitable access routes, particularly where authentication controls or segmentation are weak. Collectively, the data reflects an environment where reducing externally exposed services and strengthening access governance will deliver the most immediate security gains.
Common Misconfigurations Identified:
Path traversal vulnerability—15.51% of instances
HTTP request smuggling vulnerability—15.46% of instances
HTTP/2 rapid reset (DoS) vulnerability—8.12% of instances
Apache mod_status information disclosure—7.56% of instances
Remote code execution vulnerability—7.36% of instances
Authentication bypass vulnerability—6.63% of instances These findings highlight a broader trend: even mature organizations struggle with basic configuration hygiene. Regular security assessments, better patch management, and continuous monitoring remain essential to reducing exposure and preventing these common, but dangerous, vulnerabilities from evolving into full-scale incidents.
Conclusion
CVE-2025-59287 represents a critical vulnerability in Windows Server Update Services that has been rapidly weaponized by sophisticated threat actors. The Asia-Pacific region, particularly South Korea (34.37%) and China (32.13%), demonstrates significant internet-facing WSUS exposure, creating substantial attack surface for exploitation.
Key Takeaways:
Concentrated Risk: Over 66% of APAC WSUS exposure concentrated in South Korea and China
Sophisticated Post-Exploitation: Velociraptor abuse demonstrates advanced threat actor capabilities
Rapid Weaponization: 10-day timeline from disclosure to active exploitation
Regional Implications: High-value sectors (technology, finance, government) face elevated risk
Detection Challenges: Legitimate tool abuse and encrypted C2 complicate detection efforts
Strategic Imperatives:
Organizations within the Asia-Pacific region must prioritize:
Immediate patching of CVE-2025-59287 across all WSUS infrastructure
Internet exposure elimination for administrative services
Enhanced monitoring for post-exploitation indicators
Incident response preparedness for WSUS compromise scenarios
Regional collaboration through CERT networks for threat intelligence sharing
The weaponization of legitimate DFIR tools like Velociraptor represents an evolving threat landscape where traditional security boundaries are increasingly blurred. Organizations must adopt defense-in-depth strategies that account for both malicious exploitation and legitimate tool abuse.
As the threat landscape continues to evolve, continuous vigilance, proactive threat hunting, and collaborative defense will remain essential for protecting critical infrastructure across the Asia-Pacific region.
