Headline
Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch
Cybercriminals exploit a WSUS vulnerability to deploy Skuld Stealer malware, even after Microsoft released an urgent security patch.
A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld Staler malware, according to new research from the cybersecurity firm Darktrace.
This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets.
The initial security fix released by Microsoft as part of its October 2025 Patch Tuesday wasn’t completely successful in solving the risk, forcing a second, urgent update (called an out-of-band patch) on October 23. However, even with the updates available, criminals started using the flaw right away, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add the problem to its list of exploited vulnerabilities on October 24.
****The Attack Timeline****
Darktrace investigated two separate incidents involving US-based customers where this vulnerability was utilised by attackers. The first signs of trouble began on October 24, 2025- the same day CISA added the flaw to its list.
In the initial case, a WSUS server belonging to a firm in the Information and Communication sector began making unusual connections to webhook.site around 3:55 AM. Subsequent communication was seen, with some connections using the common tools PowerShell and cURL.
As we know it, these are legitimate programs, but attackers were misusing them to remotely control the server. By October 26, the device started connecting to rare subdomains of workersdev, a service often abused by hackers.
Further probing revealed the device downloaded a legitimate security tool called Velociraptor. The attackers used a vulnerable version of this tool to create a hidden communication ‘tunnel’ back to their command server. The malicious communication continued into October 27, leading to the possible download of the final payload: a data-stealing program called Skuld Stealer.
This stealer takes sensitive information like crypto wallets, and the attackers aimed to “maintain persistence in enterprise environments, bypassing traditional defences,” according to the Darktrace report shared with Hackread.com
****Education Sector Incident****
A second, similar attack was detected shortly after the first, impacting a WSUS server within the Education sector. This device also made outgoing connections using PowerShell to webhook.site on October 24.
While Darktrace did not see further network activity, it is worth noting that the customer’s own security system flagged malicious activity on October 27, suggesting the compromise may have continued secretly on the computer.
Case 1: A timeline outlining suspicious activity detected by Darktrace, and Case 2: A timeline outlining suspicious activity on the device
The research confirms how criminals are “leveraging WSUS to deliver malicious payloads.” Darktrace researchers emphasise that an exploit of this kind can lead to considerable damage, from data theft to a full-scale network compromise.
This chain of events also clearly shows that companies need to be ready to protect against attacks, especially now that criminals are misusing even normal, trusted programs to break in.
Related news
Hackers aren’t kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and “trusted” partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone, one bug in a common tool, and suddenly your mail, chats, repos, and
A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad. "The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access," AhnLab Security Intelligence Center (ASEC) said in a report published last week. "They then used PowerCat, an open-source
Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. "This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems," Blackfog researcher Brenda Robb said in a Thursday report. In
November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux. The usual monthly roundup. After several months, here’s a big one. 🔥 🗞 Post on Habr (rus)🗞 Post on SecurityLab (rus)🗒 Digest on the PT website (rus) A total of nine vulnerabilities: 🔻 RCE – Windows Server Update […]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation. "By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security
Thor gets into the Halloween spirit, sharing new CVE trends, a “treat” for European Windows 10 users, and a reminder that patching is your best defense against zombie vulnerabilities.
Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here’s how that false sense of security
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant
October's Microsoft Patch Tuesday fixes 170+ flaws, including 3 actively exploited zero-days and critical WSUS RCE (CVSS 9.8). Immediate patching is mandatory. Final free updates for Windows 10.
Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program. Of the 183 vulnerabilities, eight of them are non-Microsoft
Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least three vulnerabilities that are already being actively exploited. October's Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you're running a Windows 10 PC and you're unable or unwilling to migrate to Windows 11, read on for other options.