A minimum of two totally different cybercrime teams BianLian and RansomExx are stated to have exploited a lately disclosed security flaw in SAP NetWeaver, indicating that a number of menace actors are making the most of the bug.
Cybersecurity agency ReliaQuest, in a brand new replace printed right now, stated it uncovered proof suggesting involvement from the BianLian information extortion crew and the RansomExx ransomware household, which is traced by Microsoft beneath the moniker Storm-2460.
BianLian is assessed to be concerned in at the very least one incident primarily based on infrastructure hyperlinks to IP addresses beforehand recognized as attributed to the e-crime group.
“We recognized a server at 184[.]174[.]96[.]74 internet hosting reverse proxy companies initiated by the rs64.exe executable,” the corporate stated. “This server is expounded to a different IP, 184[.]174[.]96[.]70, operated by the identical internet hosting supplier. The second IP had beforehand been flagged as a command-and-control (C2) server related to BianLian, sharing similar certificates and ports.”
ReliaQuest stated it additionally noticed the deployment of a plugin-based trojan dubbed PipeMagic, which was most lately utilized in reference to the zero-day exploitation of a privilege escalation bug (CVE-2025-29824) within the Home windows Frequent Log File System (CLFS) in restricted assaults concentrating on entities within the U.S., Venezuela, Spain, and Saudi Arabia.
The assaults concerned the supply of PipeMagic via net shells dropped following the exploitation of the SAP NetWeaver flaw.
“Though the preliminary try failed, a subsequent assault concerned the deployment of the Brute Ratel C2 framework utilizing inline MSBuild process execution,” ReliaQuest stated. “Throughout this exercise, a dllhost.exe course of was spawned, signaling exploitation of the CLFS vulnerability (CVE-2025-29824), which the group had beforehand exploited, with this being a brand new try to use it through inline meeting.”
The findings come a day after EclecticIQ disclosed that a number of Chinese language hacking teams tracked as UNC5221, UNC5174, and CL-STA-0048 are actively exploiting CVE-2025-31324 to drop numerous malicious payloads.
SAP security firm Onapsis revealed that menace actors have additionally been exploiting CVE-2025-31324 alongside a deserialization flaw in the identical element (CVE-2025-42999) since March 2025, including the brand new patch fixes the basis explanation for CVE-2025-31324.
“There may be little sensible distinction between CVE-2025-31324 and CVE-2025-42999 so long as CVE-2025-31324 is accessible for exploitation,” ReliaQuest stated in an announcement shared with The Hacker Information.
“CVE-2025-42999 signifies larger privileges could be required, nonetheless, CVE-2025-31324 affords full system entry regardless. A menace actor might exploit each vulnerabilities in an authenticated and unauthenticated person in the identical manner. Due to this fact, the remediation recommendation is identical for each CVEs.”
