216.73.217.80

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

· Published 15/08/2025 11:38 · Modified 15/08/2025 13:07

Export JSON

Essential information

Published
15/08/2025 11:38
Modified
15/08/2025 13:07
Tags
2025-08-15 bitcoin data exfiltration encryption keylogger leeme ransomware phishing ransomware sap ariba social engineering
Related entities
1 intrusion sets (apt), 9 techniques (mitre), 1 malware

Description

A sophisticated campaign has been uncovered, masquerading as a new tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver . The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It targets various file types using AES-256 and includes keylogging and capabilities. The creates autorun entries, bypasses Windows Defender, and sets up remote access. With a relatively low ransom demand, it appears to be a widespread campaign rather than targeting high-value individuals. The attack serves as a reminder of the importance of user vigilance and proper cybersecurity measures.

External references