Full Report
A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a report published today, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw
Analysis Summary
# Incident Report: Exploitation of SAP NetWeaver RCE by Chaya_004
## Executive Summary
A China-linked threat actor, dubbed Chaya\_004, actively exploited the critical SAP NetWeaver RCE vulnerability, CVE-2025-31324, deploying a custom Golang-based reverse shell named SuperShell. The exploitation began as early as late January 2025, leading to widespread compromise across various global sectors, including energy, manufacturing, and government entities, resulting in the installation of various post-exploitation tools.
## Incident Details
- Discovery Date: April 29, 2025 (Forescout observed weaponization activity starting this date, though earlier reconnaissance was noted)
- Incident Date: Exploitation in the wild noted as early as March 12, 2025, with successful web shell deployment between March 14 and March 31, 2025.
- Affected Organization: Hundreds of SAP systems globally across energy, utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.
- Sector: Cross-Sector (Targeting SAP environments)
- Geography: Global
## Timeline of Events
### Initial Access
- Date/Time: As early as January 20, 2025 (Reconnaissance); March 12, 2025 (Reported initial exploitation evidence).
- Vector: Remote Code Execution (RCE) via exploitation of **CVE-2025-31324**.
- Details: The flaw exists in the vulnerable SAP NetWeaver "/developmentserver/metadatauploader" endpoint, allowing attackers to upload web shells.
### Lateral Movement
- Details: The threat actor deployed sophisticated tooling indicative of planned internal navigation, including NPS, SoftEther VPN, Cobalt Strike, and reconnaissance tools like ARL and Pocassit.
### Data Exfiltration/Impact
- Impact: Deployment of a custom Golang-based reverse shell named **SuperShell** (hosted on 47.97.42[.]177). The attacker infrastructure also hosted tools suggesting intent for persistent control and potential data collection.
### Detection & Response
- Detection: Forescout Vedere Labs publicly reported uncovering the malicious infrastructure associated with Chaya\_004 on May 9, 2025. Onapsis observed reconnaissance activity earlier starting January 20, 2025.
- Response: Implied response efforts by Mandiant and firms engaged in incident response, coupled with public vendor notification (SAP) and analysis (Forescout, Onapsis).
## Attack Methodology
- Initial Access: Remote Code Execution (RCE) via exploitation of CVE-2025-31324 (SAP NetWeaver).
- Persistence: Use of deployed web shells, and infrastructure supporting VPNs (SoftEther VPN) and tunneling tools (GO Simple Tunnel).
- Privilege Escalation: Not explicitly detailed, but often implied by successful RCE and subsequent deployment of post-exploitation frameworks like Cobalt Strike.
- Defense Evasion: Use of custom Golang shells (SuperShell) and potentially leveraging compromised infrastructure impersonating legitimate services (e.g., Cloudflare certificate impersonation on port 3232).
- Credential Access: Not explicitly detailed, but likely included in the use of established frameworks like Cobalt Strike.
- Discovery: Use of Asset Reconnaissance Lighthouse (ARL) and Pocassit for reconnaissance post-compromise.
- Lateral Movement: Use of NPS and SoftEther VPN for establishing further command and control pathways.
- Collection: Use of reconnaissance tools suggests data aggregation was a primary goal.
- Exfiltration: Not explicitly detailed, but implied by the overall threat actor objectives.
- Impact: Deployment of reverse shells for deep persistent remote access and potential resource misuse (cryptocurrency mining noted by other opportunistic actors).
## Impact Assessment
- Financial: Not specified, but implied significant costs due to the scale of affected organizations globally.
- Data Breach: Critical data exposure potential due to RCE in core enterprise systems (SAP).
- Operational: Significant risk of operational disruption across critical infrastructure sectors (Energy, Manufacturing, Government).
- Reputational: High reputational damage for affected organizations due to the compromise of core systems via a critical, known vulnerability.
## Indicators of Compromise
- Network indicators: IP address 47.97.42[.]177 (hosting SuperShell); Port 3232/HTTP on that IP using a self-signed certificate impersonating Cloudflare.
- File indicators: ELF binary named `config`; Golang-based reverse shell named `SuperShell`.
- Behavioral indicators: Uploading web shells via the path "/developmentserver/metadatauploader"; Use of proprietary attacker toolset (NPS, SoftEther VPN, ARL, Pocassit, GOSINT).
## Response Actions
- Containment measures: Not explicitly detailed, but required patching CVE-2025-31324 and isolating compromised systems.
- Eradication steps: Removal of deployed web shells (SuperShell) and associated attacker tooling (Cobalt Strike, VPNs).
- Recovery actions: Likely involved full system hardening, credential rotation, and comprehensive forensic analysis across affected SAP NetWeaver instances globally.
## Lessons Learned
- Critical Pre-Patch Vulnerabilities: The attacks commenced *before* the full scope/disclosure of the vulnerability (CVE-2025-31324) was widely known, indicating proactive threat intelligence gathering by sophisticated actors.
- Vendor Ecosystem Risk: SAP RCE flaws present a significant, wide-reaching risk due to the high concentration of critical infrastructure running the software globally.
- Tool Selection: The use of Golang for custom malware suggests a focus on cross-platform capability or evasion techniques familiar to the actor group.
## Recommendations
- Immediately patch SAP NetWeaver systems globally to mitigate CVE-2025-31324.
- Implement robust network segmentation regarding SAP infrastructure, especially in OT environments.
- Enhance monitoring around SAP application endpoints, specifically checking for unauthorized uploads to service directories like "/developmentserver/metadatauploader".
- Review infrastructure for the presence of the identified attacker tools (SuperShell, NPS, SoftEther VPN).