China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

May 21, 2025, 7:53 p.m.

Description

A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.

External References

https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
https://otx.alienvault.com/pulse/6824ce5f2a19922c64e259ed
Tags
apt
sliver
webshell
china-nexus
vshell
snowlight
sap netweaver
azure ad
cve202531324
2025-05-14
unc5174
clsta0048
sta-0048
krustyloader

Date

  • Created: May 14, 2025, 5:09 p.m.
  • Published: May 14, 2025, 5:09 p.m.
  • Modified: May 21, 2025, 7:53 p.m.

Indicators

  • f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec
  • c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4
  • b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8
  • b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e
  • 91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca
  • 63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd
  • 5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a
  • 5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eed
  • 4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d
  • 3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce
  • 2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a
  • 0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579
  • 00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e
  • 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef
  • 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04
  • 96.9.124.89
  • 65.20.81.172
  • 64.95.11.95
  • 62.234.24.38
  • 52.185.157.28
  • 45.77.119.13
  • 45.61.137.162
  • 45.155.222.14
  • 27.25.148.183
  • 23.95.123.5
  • 215.204.56.106
  • 212.192.15.213
  • 212.11.64.225
  • 208.76.55.39
  • 206.237.1.201
  • 196.251.85.31
  • 185.143.222.215
  • 184.174.96.39
  • 162.248.53.119
  • 159.65.34.242
  • 156.238.224.227
  • 154.37.221.237
  • 15.204.56.106
  • 142.202.4.28
  • 141.164.35.53
  • 138.197.40.133
  • 130.185.118.247
  • 107.174.81.24
  • 103.30.76.206
  • 52.172.31.130
  • 23.227.196.204
  • 192.243.115.175
  • 153.92.4.236
  • 149.62.46.132
  • 46.29.161.198
  • 43.247.135.53
  • 185.165.169.31
  • 65.49.235.210
  • 138.68.61.82
  • 107.175.77.118
  • http://43.247.135.53:10443
  • http://43.247.135.53/10443
  • http://103.30.76.206:443/slt
  • aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com
  • trycloudflare.com
  • sentinelones.com
Download all indicators here!

Attack Patterns

  • KrustyLoader
  • SNOWLIGHT
  • China-Nexus

Additional Informations

  • Critical Infrastructure

Linked vulnerabilities

CVE-2023-46747

None
Published:

CVE-2023-46805

None
Published:

CVE-2024-1709

None
Published:

CVE-2024-21887

None
Published:

CVE-2024-36401

None
Published:

CVE-2024-8963

9.1
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: September 19, 2024

CVE-2024-9379

7.2
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: October 8, 2024

CVE-2024-9380

7.2
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: October 8, 2024

CVE-2024-9381

7.2
    Ivanti
  • Endpoint Manager Cloud Services Appliance
Published: October 8, 2024

CVE-2025-31324

10.0
    Sap
  • Sap Netweaver Visual Composer
Published: April 24, 2025