{
  "name": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures",
  "slug": "china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures",
  "description": "A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.",
  "published": "2025-05-14T15:09:50+00:00",
  "created_at": "2025-05-14T15:09:50+00:00",
  "modified_at": "2025-05-21T17:53:46+00:00",
  "created_at_opencti": "2025-05-14T15:09:50+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-14",
    "apt",
    "azure ad",
    "china-nexus",
    "clsta0048",
    "cve202531324",
    "krustyloader",
    "sap netweaver",
    "sliver",
    "snowlight",
    "sta-0048",
    "unc5174",
    "vshell",
    "webshell"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "96.9.124.89"
      },
      {
        "id": "",
        "name": "65.20.81.172"
      },
      {
        "id": "",
        "name": "64.95.11.95"
      },
      {
        "id": "",
        "name": "62.234.24.38"
      },
      {
        "id": "",
        "name": "52.185.157.28"
      },
      {
        "id": "",
        "name": "45.77.119.13"
      },
      {
        "id": "",
        "name": "45.61.137.162"
      },
      {
        "id": "",
        "name": "45.155.222.14"
      },
      {
        "id": "",
        "name": "27.25.148.183"
      },
      {
        "id": "",
        "name": "23.95.123.5"
      },
      {
        "id": "",
        "name": "215.204.56.106"
      },
      {
        "id": "",
        "name": "212.192.15.213"
      },
      {
        "id": "",
        "name": "212.11.64.225"
      },
      {
        "id": "",
        "name": "208.76.55.39"
      },
      {
        "id": "",
        "name": "206.237.1.201"
      },
      {
        "id": "",
        "name": "196.251.85.31"
      },
      {
        "id": "",
        "name": "185.143.222.215"
      },
      {
        "id": "",
        "name": "184.174.96.39"
      },
      {
        "id": "",
        "name": "162.248.53.119"
      },
      {
        "id": "",
        "name": "159.65.34.242"
      },
      {
        "id": "",
        "name": "156.238.224.227"
      },
      {
        "id": "",
        "name": "154.37.221.237"
      },
      {
        "id": "",
        "name": "15.204.56.106"
      },
      {
        "id": "",
        "name": "142.202.4.28"
      },
      {
        "id": "",
        "name": "141.164.35.53"
      },
      {
        "id": "",
        "name": "138.197.40.133"
      },
      {
        "id": "",
        "name": "130.185.118.247"
      },
      {
        "id": "",
        "name": "107.174.81.24"
      },
      {
        "id": "",
        "name": "103.30.76.206"
      },
      {
        "id": "",
        "name": "52.172.31.130"
      },
      {
        "id": "",
        "name": "23.227.196.204"
      },
      {
        "id": "",
        "name": "192.243.115.175"
      },
      {
        "id": "",
        "name": "153.92.4.236"
      },
      {
        "id": "",
        "name": "149.62.46.132"
      },
      {
        "id": "",
        "name": "46.29.161.198"
      },
      {
        "id": "",
        "name": "43.247.135.53"
      },
      {
        "id": "",
        "name": "185.165.169.31"
      },
      {
        "id": "",
        "name": "65.49.235.210"
      },
      {
        "id": "",
        "name": "138.68.61.82"
      },
      {
        "id": "",
        "name": "107.175.77.118"
      },
      {
        "id": "",
        "name": "http://43.247.135.53:10443"
      },
      {
        "id": "",
        "name": "http://43.247.135.53/10443"
      },
      {
        "id": "",
        "name": "http://103.30.76.206:443/slt"
      },
      {
        "id": "",
        "name": "aaa.ki6zmfw3ps8q14rfbfczfq5qkhq8e12q.oastify.com"
      },
      {
        "id": "",
        "name": "trycloudflare.com"
      },
      {
        "id": "",
        "name": "sentinelones.com"
      },
      {
        "id": "",
        "name": "f92d0cf4d577c68aa615797d1704f40b14810d98b48834b241dd5c9963e113ec"
      },
      {
        "id": "",
        "name": "c71da1dfea145798f881afd73b597336d87f18f8fd8f9a7f524c6749a5c664e4"
      },
      {
        "id": "",
        "name": "b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8"
      },
      {
        "id": "",
        "name": "b9533ce8e428f16f3d0e1946f19a6f756ff11a532d0b7e61ae402837f46c678e"
      },
      {
        "id": "",
        "name": "91f66ba1ad49d3062afdcc80e54da0807207d80a1b539edcdbd6e1bf99e7a2ca"
      },
      {
        "id": "",
        "name": "63aa0c6890ec5c16b872fb6d070556447cd707dfba185d32a2c10c008dbdbcdd"
      },
      {
        "id": "",
        "name": "5f3d1f17033d85b85f3bd5ae55cb720e53b31f1679d52986c8d635fd1ce0c08a"
      },
      {
        "id": "",
        "name": "5e24b41a0bd076ec2b4e49e66daac94396c6180d00a45bcd7f4342a385fa1eed"
      },
      {
        "id": "",
        "name": "4c9e60cc73e87da4cadc51523690d67549de4902e880974bfacf7f1a8dc40d7d"
      },
      {
        "id": "",
        "name": "3f14dc65cc9e35989857dc1ec4bb1179ab05457f2238e917b698edb4c57ae7ce"
      },
      {
        "id": "",
        "name": "2dcbb4138f836bb5d7bc7d8101d3004848c541df6af997246d4b2a252f29d51a"
      },
      {
        "id": "",
        "name": "0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579"
      },
      {
        "id": "",
        "name": "00920e109f16fe61092e70fca68a5219ade6d42b427e895202f628b467a3d22e"
      },
      {
        "id": "",
        "name": "888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef"
      },
      {
        "id": "",
        "name": "47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04"
      }
    ],
    "malware": [
      {
        "id": "5f508ba1-35f7-4819-808c-de89d304c647",
        "name": "KrustyLoader",
        "slug": "krustyloader"
      },
      {
        "id": "226e045b-92c4-4d99-b2b4-ff0c4a87902a",
        "name": "SNOWLIGHT",
        "slug": "snowlight"
      }
    ],
    "intrusion_sets": [
      {
        "id": "2e54fa39-e752-4f0a-9cce-777647d11a1f",
        "name": "China-Nexus",
        "slug": "china-nexus"
      }
    ],
    "attack_patterns": [
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-31324"
      },
      {
        "id": "",
        "name": "CVE-2024-9380"
      },
      {
        "id": "",
        "name": "CVE-2024-9381"
      },
      {
        "id": "",
        "name": "CVE-2024-9379"
      },
      {
        "id": "",
        "name": "CVE-2024-8963"
      },
      {
        "id": "",
        "name": "CVE-2024-36401"
      },
      {
        "id": "",
        "name": "CVE-2024-1709"
      },
      {
        "id": "",
        "name": "CVE-2024-21887"
      },
      {
        "id": "",
        "name": "CVE-2023-46805"
      },
      {
        "id": "",
        "name": "CVE-2023-46747"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Critical Infrastructure"
      }
    ]
  },
  "external_refs": [
    "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures",
    "https://otx.alienvault.com/pulse/6824ce5f2a19922c64e259ed"
  ]
}