Full Report
Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. [...]
Analysis Summary
# Threat Actor: Chaya\_004
## Attribution & Identity
Attributed to Chinese threat actors. Tracked by Forescout's Vedere Labs under the designation **Chaya\_004**. The infrastructure strongly suggests Chinese origin, including the use of Chinese cloud providers and Chinese-language tools.
## Activity Summary
The actor is actively exploiting a vulnerability in **SAP NetWeaver servers** in the wild. The primary goal appears to be initial access and deployment of backdoors, likely capitalizing on the recently disclosed **CVE-2025-31324** flaw. Attacks are characterized by the use of malicious infrastructure leveraging anomalous self-signed certificates impersonating Cloudflare.
## Tactics, Techniques & Procedures
- Initial access via exploitation of SAP NetWeaver vulnerability (likely CVE-2025-31324).
- Deployment of reverse shell backdoors.
- Use of pen-testing tools.
- **Specific tool mentioned:** SuperShell (web-based reverse shell).
*Note: Specific MITRE ATT&CK IDs were not provided in the source text.*
## Targeting
- Sectors: Not explicitly limited, but focuses on organizations using **SAP NetWeaver** systems.
- Geography: Infrastructure originates from or hosts services on Chinese cloud providers (Alibaba, Shenzhen Tencent, Huawei Cloud Service, and China Unicom). Targeting scope is global, indicated by CISA alerts regarding U.S. federal agencies.
- Victims: While specific private victims are not named, U.S. federal agencies were issued directives to patch systems immediately.
## Tools & Infrastructure
- **Malware families used:** SuperShell (web-based reverse shell/backdoor).
- **Infrastructure:** Network of servers hosting SuperShell backdoors, often deployed on Chinese cloud providers. Malicious infrastructure utilized anomalous self-signed certificates impersonating Cloudflare.
- **Defanged Infrastructure Indicators:**
- Cloud Providers: Alibaba, Shenzhen Tencent, Huawei Cloud Service, China Unicom.
## Implications
This actor is rapidly exploiting critical vulnerabilities in enterprise systems (SAP NetWeaver), suggesting a focus on gaining high-value network access. The use of cloud infrastructure and impersonation techniques indicates efforts to maintain persistence and obfuscate attribution. The immediate threat level is high, evidenced by CISA's inclusion of the associated CVE in its *Known Exploited Vulnerabilities Catalog* and mandatory patching deadlines for federal agencies.
## Mitigations
- Immediately patch SAP NetWeaver instances to address the exploited vulnerability (CVE-2025-31324).
- Restrict access to SAP metadata uploader services.
- Monitor server environments for suspicious activity indicative of compromise or known backdoors (like SuperShell).
- Consider disabling the Visual Composer service if possible, as a defensive mitigation measure.