At least two different cybercrime groups Bianlian and Ransomexx are said to have exploited the security flaws recently disclosed in SAP NetWeaver, indicating that multiple threat actors are exploiting the bug.
Cybersecurity company ReliaQuest said in a new update released today, it revealed evidence suggesting involvement from Vial’s data fear tor crew and the Ransomexx ransomware family.
Bianlian is rated as involved in at least one incident based on infrastructure links to IP addresses previously identified as attributed to the E-Crime group.
“Identified the server at 184[.]174[.]96[.]74 hosting reverse proxy services started by the RS64.exe executable, the company said. “This server is related to another IP, 184.[.]174[.]96[.]70, operated by the same hosting provider. The second IP was previously flagged as the Command and Control (C2) server associated with Bianlian.
ReliaQuest also observed a recent development of Pipemagic called plugin-based Trojan in connection with the use of zero-days in the Pablosing Escalation Bug (CVE-2025-29824).
The attack included the delivery of Pipemagic by using a web shell following the exploitation of SAP NetWeaver’s flaws.
“The initial attempt failed, but subsequent attacks involved the deployment of the Blue Tratel C2 framework using the execution of an inline MSBUILD task,” ReliaQuest said. “Dllhost.exe process was generated during this activity, indicating the exploitation of a CLFS vulnerability (CVE-2025-29824), which was previously exploited.
The findings come the day after eclecticiq revealed that multiple Chinese hacking groups tracked as UNC5221, UNC5174 and CL-STA-0048 were actively exploiting CVE-2025-31324 to drop various malicious payloads.
SAP security company Onapsis has revealed that threat actors have been exploiting CVE-2025-31324 since March 2025 along with the lasialization flaws in the same component (CVE-2025-42999).
“There is little actual difference between CVE-2025-31324 and CVE-2025-42999 as long as CVE-2025-31324 can be used for exploitation,” he said in a statement shared with Hacker News.
“CVE-2025-42999 indicates that higher privileges are required, while CVE-2025-31324 provides full system access. Threat actors can leverage vulnerabilities in both unauthenticated, unauthorized users in the same way.
Source link
