Unknown threat actor linked to China has been dubbed Chaya_004 It has been observed taking advantage of the recently disclosed security flaws of SAP NetWeaver.
In a report published Thursday, the foresight Vederellabo said it had discovered malicious infrastructure, which is likely to be associated with hacking groups weaponizing CVE-2025-31324 (CVSS score: 10.0).
CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading a web shell through an influential “/Developmententerver/Metadatauploader” endpoint.
The vulnerability was first flagged by ReliaQuest late last month. This shows that the flaws are abused in real-world attacks by unknown threat actors dropping the web shell and the framework after the brute Ratel C4 explosion.
According to Onapsis, hundreds of SAP systems worldwide are sacrificing victims of attacks across industries and regions, including energy and utilities, manufacturing, media and entertainment, oil and gas, medicines, retail and government organizations.
The SAP Security Company said it had observed reconnaissance activities until January 20, 2025, including “testing on a specific payload for this vulnerability” with “testing on a specific payload for this vulnerability.”
Google-owned Mandiant, who is also involved in incident response efforts related to these attacks, has evidence that the first known exploitation occurred on March 12, 2025.
It is said that several threat actors have recently taken the exploitation bandwagon and targeted opportunistically vulnerable systems to adopt web shells and mine cryptocurrencies.
This also includes Chaya_004, according to Forescout. Chaya_004 hosts a web-based reverse shell written in Golang called Supershell with IP address 47.97.42 (.)177. The Operational Technology (OT) security company said it had extracted an IP address named ELF binary that will be used in the attack.
“We also identified several other open ports, including 3232/HTTP, with an anomalous self-signed certificate, which is spoofing CloudFlare, on the same IP address hosting SuperShell (47.97.42(.)177), using the following properties:
Further analysis revealed that threat actors need to host a variety of tools across their infrastructure: NPS, Softer VPN, Cobalt Strike, Asset Regonnassance Lighthouse (ARL), Pocassit, GoSint, Go Simple Tunnel.
“The use of Chinese cloud providers and some Chinese tools point to threat actors who are likely to be based in China,” the researchers added.
To protect against attacks, it is essential that users patch as quickly as possible, but limit access to the metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor suspicious activity.
Onapsis CTO Juan Pablo JP Perez-Etchegoyen said to Hacker News that the activity highlighted by Forescout is a post-patch, and appears to be rapidly responding to the unfolded web shells expanding not only opportunistic (and potentially sophisticated) threat actors, but also more advanced and expanding existing presence.
