EclecticIQ analysts have uncovered a sophisticated cyber-espionage campaign orchestrated by China-nexus nation-state Advanced Persistent Threats (APTs) targeting critical infrastructure worldwide.
In April 2025, these threat actors launched a high-tempo exploitation campaign against SAP NetWeaver Visual Composer, exploiting a zero-day vulnerability identified as CVE-2025-31324.
This unauthenticated file upload flaw allows remote code execution (RCE), providing attackers with a gateway to compromise high-value networks.
Evidence from an exposed directory on attacker-controlled infrastructure revealed detailed event logs of operations across multiple systems, confirming the scale and precision of this strategic assault on essential services and government entities.
Cyber-Espionage Campaign Unveiled
The campaign’s scope is staggering, with EclecticIQ linking the intrusions to Chinese cyber-espionage units such as UNC5221, UNC5174, and CL-STA-0048, reportedly connected to China’s Ministry of State Security (MSS).
A threat actor-controlled server at IP 15.204.56.106 hosted an openly accessible directory exposing the depth of the SAP NetWeaver breaches, including 581 compromised instances backdoored with webshells and a list of 1,800 potential targets.
The attackers deployed two malicious webshells-coreasp.js, resembling the Chinese toolkit Behinder/冰蝎 v3 with AES/ECB encryption for stealthy communication, and forwardsap.jsp, a lightweight fallback shell for direct command execution.
Post-exploitation tactics included deploying KrustyLoader via AWS S3 buckets for malware delivery, and SNOWLIGHT downloader by UNC5174 to execute the VShell Remote Access Trojan (RAT) in memory, evading detection.
Intrusions and Tactical Sophistication
Victimology reveals a calculated focus on critical sectors across the UK, US, and Saudi Arabia, targeting natural gas networks, water utilities, medical manufacturing, oil and gas firms, and government ministries-systems integral to public welfare and national security.
The compromised SAP systems, often connected to industrial control systems (ICS) without segmentation, pose severe risks of lateral movement and potential service disruption, aligning with China-aligned APTs’ long-term objectives of espionage and strategic positioning during geopolitical tensions.
Further analysis of command-and-control (C2) traffic on April 28, 2025, identified active communication to IP 43.247.135.53, resolving to a domain linked to CL-STA-0048, with reverse shell attempts and DNS beaconing tactics confirming ongoing exploitation.
Enumeration efforts post-compromise involved mapping internal networks via Linux commands, targeting cloud-connected infrastructure like AWS workloads and VMware ESXi hypervisors, amplifying the threat of widespread impact.
EclecticIQ assesses with high confidence that such campaigns targeting internet-facing enterprise applications like SAP NetWeaver will persist, leveraging unpatched vulnerabilities for sustained access to critical infrastructure globally.
Indicators of Compromise (IOC)
| Threat Actor/Group | Indicator | Details/Hashes |
|---|---|---|
| Uncategorized China-Nexus | 15.204.56.106 | OpenDir server hosting logs, webshells, target lists |
| CL-STA-0048 | 43.247.135.53 | Resolves to sentinelones.com, TCP 10443 |
| UNC5221 (KrustyLoader) | applr-malbbal.s3.ap-northeast-2.amazonaws.com | Malware delivery domain |
| UNC5174 (SNOWLIGHT/VShell) | 103.30.76.206 | TCP 443 for SNOWLIGHT handshake |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
