[[{“value”:”

A critical remote code execution vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324) is being actively exploited by a Chinese threat actor to compromise enterprise systems worldwide.

The vulnerability allows attackers to achieve remote code execution by uploading malicious web shells through the vulnerable /developmentserver/metadatauploader endpoint.

Exploitation has been observed primarily targeting manufacturing environments, where compromised SAP systems could lead to significant operational disruptions and security breaches.

The threat actor, tracked as Chaya_004, has been leveraging this vulnerability since at least April 29, 2025, shortly after proof-of-concept exploits became publicly available.

Their attack infrastructure heavily utilizes Chinese cloud providers, including Alibaba, Tencent, and Huawei Cloud Services.

This campaign demonstrates a sophisticated approach to infrastructure deployment, with over 700 identified IP addresses sharing consistent configuration patterns.

Forescout researchers identified the malicious infrastructure after recovering an ELF binary named “config” from one of the attacks.

The binary contained an IP address hosting a SuperShell login interface, which led to the discovery of hundreds of additional IP addresses sharing unusual certificate configurations.

The certificates utilized anomalous self-signed properties impersonating Cloudflare with a distinctive subject DN attribute.

The exploitation pattern involves POST requests to the vulnerable endpoint, followed by the deployment of web shells with names such as “helper.jsp,” “cache.jsp,” or randomized eight-letter filenames like “ssonkfrd.jsp.”

Once established, these backdoors enable attackers to download additional malicious payloads using curl commands, as demonstrated in the following attack sequence:-

POST /developmentserver/metadatauploader HTTP/1.1
Host: [target]
Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266
Content-Length: [length]

-----------------------------9051914041544843365972754266
Content-Disposition: form-data; name="file"; filename="webshell.jsp"
Content-Type: application/octet-stream



-----------------------------9051914041544843365972754266--

The deployed SuperShell backdoors provide attackers with comprehensive system access, allowing them to manipulate service endpoints, harvest credentials, and potentially pivot to more critical SAP components.

The primary backdoor interface was identified on port 8888 with the distinctive path “/supershell/login” across multiple compromised systems.

Organizations running affected SAP versions are strongly urged to apply the security patches released in the April 2025 Patch Day immediately.

Additional recommended mitigations include restricting access to metadata uploader services, disabling unused web services, and implementing real-time monitoring for anomalous access to SAP systems, particularly outside of regular maintenance windows.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.

The post Chinese Hackers Exploit SAP RCE Vulnerability to Upload Supershell Backdoors appeared first on Cyber Security News.

“}]] 

​Read More  Cyber Security News 

[[{“value”:”

A significant surge in sophisticated recruitment scams has emerged, with cybercriminals exploiting economic vulnerabilities and the competitive job market to target desperate job seekers.

These scams employ increasingly refined social engineering tactics that blend legitimate recruitment practices with fraudulent schemes, making them particularly effective at evading detection while extracting money and personal information from victims.

Security researchers have identified three distinct threat actors deploying targeted campaigns against job seekers worldwide.

The first impersonates technology companies using advance fee fraud tactics, the second operates a localized scheme across 18 countries impersonating a logistics recruitment agency, and the third masquerades as the Government of Singapore to harvest national identity numbers and compromise Telegram accounts.

These diverse approaches highlight the evolving nature of recruitment-based cyber threats.

According to Federal Trade Commission data, losses from job-related fraud in the United States exceeded $500 million in 2023, more than doubling the $200 million reported in 2022.

This dramatic increase reflects both the growing sophistication of these scams and the expanding pool of vulnerable targets created by economic pressures, cost-of-living challenges, and the rise of gig work opportunities.

Netcraft researchers identified that these scam operations are carefully structured to maximize persistence and scale while evading detection measures.

Their analysis revealed that operators typically employ multiple personas throughout the scam lifecycle – one to make initial contact and another to execute the fraud – allowing them to efficiently manage high volumes of victims while maintaining operational security when communication channels are disrupted.

The cybercriminals have engineered these schemes to exploit specific vulnerabilities in how job seekers evaluate opportunities, particularly targeting those attracted to flexible working arrangements and above-average compensation packages, which have become increasingly desirable in the post-pandemic economy.

Inside the Celadon and Softserv Scam Operation

The most prolific of the identified threats begins with unsolicited messages via WhatsApp, Telegram or other messaging platforms, with attackers posing as recruitment consultants claiming to have received applications from potential victims.

Initial outreach typically originates from international phone numbers, creating a false impression of legitimacy while making verification more difficult for targets.

After establishing contact, victims are directed to communicate with a second persona who provides job details – typically featuring unrealistically high compensation rates for simple tasks.

Netcraft analysts documented that the Celadon/Softserv operation offers payment in cryptocurrency (USDT) and requires victims to register on specialized domains like celadonsoftapp[.]vip that feature convincing but fraudulent interfaces.

The infection pathway systematically escalates commitment through a carefully designed user journey. After registration, victims receive nominal “credit” to their accounts before being prompted to deposit actual funds to “activate” various task levels that promise profitable returns.

These task interfaces incorporate familiar app icons to enhance perceived legitimacy.

Infrastructure analysis revealed nine similar platform sites operated by this threat actor between May and November 2024, all sharing identical design elements and server infrastructure.

The domains, all protected by Cloudflare and hosted through Gname, demonstrate the operation’s scale and sophisticated approach to persistence.

The threat actor’s detection evasion techniques include requiring registration codes for website access, implementing login barriers to prevent security researcher analysis, and redesigning interfaces periodically to maintain effectiveness.

Besides this, it documents their transition to more professional-appearing interfaces in late June 2024, indicating ongoing refinement of their techniques.

Job seekers should remain vigilant for warning signs including communication exclusively through messaging apps, implausibly high compensation offers, cryptocurrency payment methods, and pressure to make upfront deposits.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.

The post Threat Actors Attacking Job Seekers With Three New Unique Adversaries appeared first on Cyber Security News.

“}]] 

​Read More  Cyber Security News 

In most cases, it’s too risky to give up your federal student loan benefits. With wage garnishment for defaulted student loans starting up this summer and SAVE borrowers gearing up for higher monthly payments, you might be considering a private student loan as a more affordable way to pay down your … 

​Read More  CNET 

The North Korean hacker group Nickel Tapestry has found new ways to adapt its IT worker scams, including impersonating female applicants, and … 

​Read More  CyberNews 

One revolutionized first-person shooters on consoles, another taught us how to care for a virtual pet, but they all deserve a spot in history. If you grew up blasting aliens at the arcade, there’s a good chance that you’re familiar with at least one of this year’s Video Game Hall of Fame … 

​Read More  CNET 

“Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry,” Texas Attorney General Ken Paxton said. 

​Read More  Tech 

From cybersecurity and aerospace to generative 3D, startup leaders are scaling ambitious companies from European soil and taking on global markets. In this conversation at the StrictlyVC event in Athens, we talked to three founders about what it takes to go from idea to impact while navigating the continent’s unique challenges — and why building […] 

​Read More  TechCrunch 

Omada Health filed for an IPO on Friday, the latest digital health company to announce its intent to test the public market. 

​Read More  Tech 

This season’s Islanders haven’t been announced, but there is a premiere date set. Last summer’s season of Love Island USA was a reality TV obsession for many. The follow up to that extremely popular season of the show is drawing near. In a teaser for the upcoming season 7, Love Island USA host Ariana … 

​Read More  CNET 

Manus AI is one of the hottest AI agent startups around, recently raising $75 million at a half-billion dollar valuation in a round led by Benchmark. But two unnamed sources told Semafor that the investment is now under review by the U.S. Treasury Department over its compliance with 2023 restrictions on investing in Chinese companies. […] 

​Read More  TechCrunch