An unnamed Chinese-linked threat actor called Chaya_004 has been observed taking advantage of a security flaw recently disclosed in SAP NetWeaver.
Vedere Labs said in a report released today that since April 29, 2025, it has discovered malicious infrastructure that is likely to be associated with hacking groups weaponizing CVE-2025-31324 (CVSS score: 10.0).
CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading a web shell through an influential “/Developmententerver/Metadatauploader” endpoint.
The vulnerability was first flagged by ReliaQuest late last month. This shows that the flaws are abused in real-world attacks by unknown threat actors dropping the web shell and the framework after the brute Ratel C4 explosion.
According to Onapsis, hundreds of SAP systems worldwide are sacrificing victims of attacks across industries and regions, including energy and utilities, manufacturing, media and entertainment, oil and gas, medicines, retail and government organizations.
The SAP Security Company said it had observed reconnaissance activities until January 20, 2025, including “testing on a specific payload for this vulnerability” with “testing on a specific payload for this vulnerability.”
Google-owned Mandiant, who is also involved in incident response efforts related to these attacks, has evidence of exploitation on March 12, 2025.
It is said that several threat actors have recently taken the exploitation bandwagon and targeted opportunistically vulnerable systems to adopt web shells and mine cryptocurrencies.
This also includes Chaya_004 for each Forescout. It hosts a web-based reverse shell written in Golang called Supershell with IP address 47.97.42.[.]177. Operational Technology (OT) security companies said they extracted the IP address from the configuration of the ELF binary names used in the attack.
“Same IP address hosting SuperShell (47.97.42[.]177) We also identified several other open ports, including 3232/HTTP, which used an anomalous self-signed certificate impersonating CloudFlare for the following characteristics: C=US, O=CloudFlare, Inc, CN=:3232, “Forescout Researchers Sai Molige and Luca Barba said.
Further analysis revealed that threat actors need to host a variety of tools across their infrastructure: NPS, Softer VPN, Cobalt Strike, Asset Regonnassance Lighthouse (ARL), Pocassit, GoSint, Go Simple Tunnel.
“The use of Chinese cloud providers and some Chinese tools point to threat actors who are likely to be based in China,” the researchers added.
To protect against attacks, it is essential that users patch as quickly as possible, but limit access to the metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor suspicious activity.
Onapsis CTO Juan Pablo JP Perez-Etchegoyen said to Hacker News that the activity highlighted by Forescout is a post-patch, and appears to be rapidly responding to the unfolded web shells expanding not only opportunistic (and potentially sophisticated) threat actors, but also more advanced and expanding existing presence.
Source link
