SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure

May 21, 2025, 9:50 p.m.

Description

CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise. During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.

External References

https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/
https://otx.alienvault.com/pulse/682cc36c603a5683307d027d
Tags
cobalt strike
sap netweaver
2025-05-20
ransomware-as-a-service (raas)
qilin ransomware

Date

  • Created: May 20, 2025, 6:01 p.m.
  • Published: May 20, 2025, 6:01 p.m.
  • Modified: May 21, 2025, 9:50 p.m.

Indicators

  • bba5cfbcd7ea5635e2aaa93019febec6637cfae77e520808de73e6b0b6b9def4
  • 184.174.96.74
  • 184.174.96.70
  • 180.131.145.73
  • bashupload.com
Download all indicators here!

Attack Patterns