A threat actor linked to China, codenamed Chaya_004, has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.
According to a report published Thursday by Forescout Vedere Labs, a malicious infrastructure likely linked to the hacker group was discovered. The group has been exploiting CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025.
CVE-2025-31324 is a critical flaw in SAP NetWeaver that allows attackers to execute remote code (RCE) by uploading webshells via a vulnerable /developmentserver/metadatauploader endpoint.
ReliaQuest first warned of this vulnerability at the end of last month, when it was discovered that unknown threat actors were exploiting it in the wild to deploy web shells and the Brute Ratel C4 post-exploitation platform.
Cybersecurity
According to Onapsis, attacks have affected hundreds of SAP systems worldwide, spread across various sectors and geographic locations, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations.
The security company found that reconnaissance activities had occurred since January 20, 2025, testing specific payloads on this vulnerability in their honeypots. Successful deployment of webshells was observed between March 14 and 31.
Google subsidiary Mandiant, which is also involved in incident response, has evidence that the first known exploitation occurred on March 12, 2025.
Recently, multiple threat actors are believed to have started exploiting this vulnerability to attack vulnerable systems with webshells or even mine cryptocurrency opportunistically.
According to Forescout, Chaya_004 is also among them. This actor hosts a web-based reverse shell written in Golang, called SuperShell, at the IP address 47.97.42[.]177. The OT security company discovered this IP address in an ELF binary named config used in the attack.
According to researchers Sai Molige and Luca Barba of Forescout, the IP address on which Supershell runs (47.97.42[.]177) also has multiple open network connections. One is port 3232, which runs on HTTP and uses an unusual, self-generated certificate that pretends to come from Cloudflare.
Multiple tools
Further analysis revealed that the threat actor hosts multiple tools on their infrastructure: NPS, SoftEther VPN, Cobalt Strike, Asset Reconnaissance Lighthouse (ARL), Pocassit, GOSINT, and GO Simple Tunnel.
According to the researchers, the use of Chinese cloud platforms and tools written in Chinese indicates that the attackers are most likely based in China.
To protect against such attacks, users must apply the patches as soon as possible (if they haven’t already), restrict access to the metadata uploader endpoint, disable the Visual Composer service if it is not in use, and monitor for suspicious activity.
Juan Pablo JP Perez-Etchegoyen, CTO of Onapsis, told The Hacker News that the activity demonstrated by Forescout is taking place after the patch was released. According to Perez-Etchegoyen, this development poses an increasing risk, as not only are less sophisticated hackers exploiting it, but advanced threat actors are also quickly taking advantage of existing vulnerabilities to further expand their access.