China-nexus Advanced Persistent Threat (APT) groups have launched a coordinated cyber-espionage campaign in April 2025, targeting critical infrastructure via a zero-day vulnerability in SAP NetWeaver Visual Composer. The attackers exploited CVE-2025-31324, an unauthenticated file upload vulnerability enabling remote code execution (RCE), to gain access to enterprise systems globally.
The campaign, attributed to Chinese-linked APT groups UNC5221, UNC5174, and CL-STA-0048, focused on SAP NetWeaver systems operating in critical infrastructure networks across countries including the United States, United Kingdom, and Saudi Arabia. According to EclecticIQ, the attackers leveraged an open directory (opendir) hosted on their infrastructure containing detailed logs, two Nuclei-generated scan results, and indicators of successful exploitation.
Post-compromise analysis revealed deployment of webshells to enable persistent remote access. Analysts observed nearly 5,000 malicious commands executed across victim environments, including network discovery, SAP-specific mapping, and backup reconnaissance, with the aim of facilitating lateral movement. Many affected systems ran on VMware ESXi hypervisors with poor segmentation.
The attackers also deployed KrustyLoader, a Rust-based malware loader, to drop Sliver backdoors during the post-exploitation phase. KrustyLoader, previously seen in attacks involving Ivanti VPN zero-days (CVE-2024-21887 and CVE-2023-46805), has been tied to both UNC5221 and broader China-linked threat clusters.
Command-and-control (C2) traffic from breached SAP NetWeaver instances was traced to the CL-STA-0048 domain. The domain and associated IPs also matched infrastructure flagged by Fortinet in connection to Ivanti CSA vulnerability exploits (CVE-2024-8963, CVE-2024-9380).
In a parallel chain of activity, UNC5174 is assessed to be actively deploying a multi-stage malware suite involving the SNOWLIGHT downloader, the VShell RAT, and the GOREVERSE backdoor. All three tools were executed via SAP webshells, aligning with UNC5174’s previous exploitation of F5 BIG-IP (CVE-2023-46747) and ConnectWise ScreenConnect (CVE-2024-1709) vulnerabilities.
Both Mandiant and Palo Alto Networks link the threat actors to China’s Ministry of State Security (MSS) or affiliated contractors, citing long-term espionage operations and strategic targeting of high-value assets.
