Full Report
2025-05-13 • EclecticIQ • Arda Büyükkaya • elf.krustyloader, elf.snowlight, win.vshell Open article on Malpedia
Analysis Summary
# Threat Actor: China-Nexus Nation State Actors
## Attribution & Identity
* **Identification:** China-Nexus Nation State Actors.
* **Aliases/Associations:** Not explicitly named, described only by nexus to China state-sponsorship.
## Activity Summary
The actors are actively exploiting **CVE-2025-31324**, a vulnerability in **SAP NetWeaver**. The campaign focuses on targeting critical infrastructure globally.
## Tactics, Techniques & Procedures
The primary TTP mentioned relates to the exploitation of a critical vulnerability:
* Exploitation of **CVE-2025-31324** (SAP NetWeaver vulnerability).
## Targeting
* **Sectors:** Critical Infrastructures.
* **Geography:** Global (implied by the nature of CI targeting).
* **Victims:** Critical Infrastructure organizations.
## Tools & Infrastructure
* **Malware families used:**
* `elf.krustyloader`
* `elf.snowlight`
* `win.vshell`
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided snippet.
## Implications
The exploitation demonstrates a focused, high-impact threat against essential services worldwide, indicating strategic espionage or disruption goals against highly valuable targets.
## Mitigations
* Patching and mitigating the **CVE-2025-31324** vulnerability in SAP NetWeaver systems is critical.