Chinese Threat Actors Leverage SAP RCE Vulnerability CVE-2025-31324 to Deploy Golang-Powered SuperShell Malware

09.05.2025

A China-affiliated threat actor, labeled Chaya_004, has been observed actively exploiting a critical vulnerability in SAP NetWeaver. The flaw, identified as CVE-2025-31324 with a CVSS score of 10.0, enables unauthenticated attackers to execute arbitrary code remotely by uploading malicious files through a vulnerable server endpoint. This exploitation activity has been tracked since late April 2025.

The attack vector targets a specific upload function that lacks proper security controls, allowing the deployment of web shells. Once the flaw was publicly disclosed, several incidents were recorded in which attackers leveraged it to install tools for maintaining access and expanding their control within compromised systems. Among the tools observed was a reverse shell written in Golang, named SuperShell, linked to infrastructure controlled by the attackers.

Investigations revealed that the IP address hosting the SuperShell payload also served multiple other malicious services, including falsified certificates and ports used for unauthorized communication. A deeper inspection into the infrastructure showed a broader toolkit being deployed, suggesting a well-equipped and technically capable adversary likely operating from within China, given the characteristics of the tools and hosting providers used.

Multiple cybersecurity firms reported seeing related reconnaissance and intrusion attempts as early as January 2025, with confirmed compromises occurring in March. The attacks affected organizations across a wide range of sectors and regions, indicating that the campaign is not targeted but rather opportunistic in nature, focusing on any unpatched SAP instance accessible online.

Security analysts emphasize the importance of applying available patches without delay and recommend implementing additional safeguards such as endpoint access restrictions, service deactivation where applicable, and heightened monitoring for irregular activity. Despite the release of security updates, the presence of previously deployed web shells indicates that compromised environments may remain vulnerable even after patching.