{
  "name": "SAP Zero \u2013 Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure",
  "slug": "sap-zero-frostbite-how-russian-raas-actor-qilin-exploited-cve-2025-31324-weeks-before-its-public-disclosure",
  "description": "CVE-2025-31324 hit the security world like a tsunami \u2013 an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise.\nDuring an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.",
  "published": "2025-05-20T16:01:16+00:00",
  "created_at": "2025-05-20T16:01:16+00:00",
  "modified_at": "2025-05-21T19:50:55+00:00",
  "created_at_opencti": "2025-05-20T16:01:16+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-20",
    "cobalt strike",
    "qilin ransomware",
    "ransomware-as-a-service (raas)",
    "sap netweaver"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "184.174.96.74"
      },
      {
        "id": "",
        "name": "184.174.96.70"
      },
      {
        "id": "",
        "name": "180.131.145.73"
      },
      {
        "id": "",
        "name": "bashupload.com"
      },
      {
        "id": "",
        "name": "bba5cfbcd7ea5635e2aaa93019febec6637cfae77e520808de73e6b0b6b9def4"
      }
    ],
    "attack_patterns": [
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ]
  },
  "external_refs": [
    "https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/",
    "https://otx.alienvault.com/pulse/682cc36c603a5683307d027d"
  ]
}