216.73.217.139

SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure

· Published 20/05/2025 18:01 · Modified 21/05/2025 21:50

Export JSON

Essential information

Published
20/05/2025 18:01
Modified
21/05/2025 21:50
Tags
2025-05-20 cobalt strike qilin ransomware ransomware-as-a-service (raas) sap netweaver
Related entities
5 observables, 5 techniques (mitre)

Description

CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise. During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.

External references