CyberSecurity news

FlagThis - #qilin

@onapsis.com //
References: onapsis.com , op-c.net
The Qilin ransomware-as-a-service (RaaS) group, a Russian-linked threat actor, has been identified as exploiting the critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day exploit allows for unauthenticated remote code execution, posing a significant threat to enterprise systems globally. The vulnerability affects the `/developmentserver/metadatauploader` endpoint and does not properly enforce authentication or authorization, allowing attackers to upload arbitrary files, including web shells, to the server. SAP assigned the vulnerability a CVSS score of 10.0, highlighting the ease of exploitation and potential for full system compromise.

This pre-disclosure exploitation was uncovered during an incident response led by OP Innovate for a major global enterprise. The investigation revealed communication with known Cobalt Strike C2 infrastructure and IP addresses directly linked to Qilin. While recent reports have pointed to China-linked APT groups exploiting the vulnerability, the discovery of Qilin's involvement suggests a broader range of threat actors are actively targeting this flaw. The ease of exploiting CVE-2025-31324, requiring no authentication and exposing the attack surface via standard HTTP(S), makes it particularly dangerous for commonly deployed enterprise SAP environments.

Security researchers are urging SAP administrators to patch immediately to prevent falling victim to CVE-2025-31324. The vulnerability, which allows unauthenticated file uploads and remote code execution (RCE), is being actively exploited in mass attacks. It hit the security world "like a tsunami," with potentially severe consequences for affected organizations. SOC Prime Platform has also released Sigma rules to help detect exploitation attempts linked to Chinese APT groups that target critical infrastructure.

Recommended read:
References :
  • onapsis.com: This consolidated threat advisory [TLP:CLEAR] is provided to support defenders in their assessment of exposure and compromise against the active mass exploitation of SAP security vulnerabilities CVE-2025-31324 and CVE-2025-42999.
  • op-c.net: CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe.

Field Effect@Blog //
Russian Ransomware-as-a-Service (RaaS) group Qilin exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day flaw, an unauthenticated file upload vulnerability, allowed attackers to gain remote code execution in affected enterprise environments across the globe. The vulnerability affects SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the `/developmentserver/metadatauploader` endpoint, which fails to properly enforce authentication and authorization, which allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server with ease.

SAP assigned CVE-2025-31324 a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise. The vulnerability's accessibility, requiring no authentication and being exposed via standard HTTP(S), made it especially dangerous. OP Innovate discovered the active exploitation of CVE-2025-31324 during an incident response engagement for a major global enterprise, finding evidence of exploitation nearly three weeks before the vulnerability was publicly disclosed.

OP Innovate's investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed, and the second shortly after. While recent articles pointed to China-Linked APTs, OP Innovate identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin. Organizations using SAP NetWeaver are urged to apply the necessary patches and monitor for potential exploitation attempts to mitigate risks and prevent further breaches.

Recommended read:
References :
  • industrialcyber.co: EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability
  • Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
  • securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
  • The Hacker News: China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide
  • The DefendOps Diaries: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
  • Onapsis: SAP defenders were briefed on an active exploitation campaign targeting a critical CVSS 10.0 vulnerability (CVE-2025-31324).
  • Blog: Second zero-day in SAP NetWeaver actively exploited
  • op-c.net: SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure
  • Industrial Cyber: EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability
  • onapsis.com: Threat Briefing Report: Critical SAP Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) Under Active Mass Exploitation
  • socprime.com: Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure
  • SOC Prime Blog: A newly revealed SAP NetWeaver critical vulnerability, an unauthenticated file upload flaw that allows RCE and tracked as CVE-2025-31324, is being actively exploited by several China-linked nation-state groups to attack critical infrastructure systems.

Jacob Santos@feeds.trendmicro.com //
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.

The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts.

Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide.

Recommended read:
References :
  • Virus Bulletin: Trend Micro researchers discovered that the Agenda ransomware group added SmokeLoader & NETXLOADER to its recent campaigns. Targets include healthcare, technology, financial services & telecommunications sectors in the US, the Netherlands, Brazil, India & the Philippines.
  • securityonline.info: Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns
  • www.trendmicro.com: Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • cyble.com: Cyble stated that Qilin gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April.
  • redpiranha.net: Red Piranha stated that the threat group Qilin has been active for over one year or for multiple years and Qilin also Tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.
  • MeatMutts: Qilin Ransomware Gang Targets Hamilton County Sheriff's Office

gallagherseanm@Sophos News //
A recent cyberattack has exploited vulnerabilities in Managed Service Providers (MSPs) through a sophisticated phishing campaign, leading to the deployment of Qilin ransomware across multiple customer environments. The attackers, identified as affiliates of the STAC4365 threat cluster, targeted MSPs by mimicking the login page of ScreenConnect, a widely used Remote Monitoring and Management (RMM) tool. The attackers used spear-phishing emails directed at MSP administrators, disguising them as authentication alerts from ScreenConnect.

These emails directed recipients to counterfeit domains closely resembling the legitimate ScreenConnect login page, cloud.screenconnect[.]com.ms for example. Using an adversary-in-the-middle (AITM) attack framework, credentials and time-based one-time passwords (TOTP) required for multi-factor authentication (MFA) were intercepted. With these credentials, the attackers gained super administrator access to the legitimate ScreenConnect portal, enabling them to deploy malicious ScreenConnect instances across customer environments and ultimately launch Qilin ransomware. The attack highlights the risks for MSP and their customer base.

Recommended read:
References :
  • Sophos News: Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
  • securityonline.info: Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
  • Cyber Security News: Qilin Operators Use Mimic ScreenConnect Login Page to Deliver Ransomware and Gain Admin Access
  • Cyber Security News: Qilin Operators Mimic ScreenConnect Login Page to Deliver Ransomware & Gain Admin Access
  • gbhackers.com: Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

Sergiu Gatlan@BleepingComputer //
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.

Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.

Recommended read:
References :
  • gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
  • The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
  • BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
  • Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
  • securityaffairs.com: Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.
  • www.scworld.com: Moonstone Sleet was previously reported to have been behind a FakePenny ransomware attack.

@www.the420.in //
Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: Qilin ransomware gang claimed responsibility for the Lee Enterprises attack
  • www.cysecurity.news: CySecurity News: Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations
  • www.the420.in: The420.in: American Media Group Hit by Cyber Attack, 75 Newspapers Disrupted & Informers’ Data Leaked
  • bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
  • bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
  • Information Security Buzz: Qilin Claims Lee Enterprises Ransomware Attack
  • securityaffairs.com: The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers. Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than
  • CyberInsider: Reports that Qilin ransomware gang claimed responsibility for Lee Enterprises attack, threatens to leak stolen data
  • www.cysecurity.news: reports on Ransomware
  • Zack Whittaker: Lee Enterprises is still experiencing disruption and outages after a ransomware attack.
  • Metacurity: UK ICO launches children's social media privacy probe, Qilin claims attack on Lee Enterprises, Polish Space Agency breached, Cellebrite zero days used to hack Serbian student's phone, Man sentenced to 24 years for putting CSAM on dark web, Canceled CFPB contracts threaten data security, much more
  • Konstantin :C_H:: Qilin claims attack on Lee Enterprises,
  • www.the420.in: Qilin ransomware group claimed responsibility for the Lee Enterprises attack.
  • Kim Zetter: Reports Qilin claims attack on Lee Enterprises
  • BleepingComputer: Qilin claiming responsibility for the cyberattack on Lee Enterprises.
  • BleepingComputer: Qilin Ransomware Gang Claims Lee Enterprises Attack
  • DataBreaches.Net: Japanese cancer hospital confirms breach; Qilin gang claims responsibility
  • The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
  • www.cysecurity.news: Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach
  • securityaffairs.com: Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack.
  • www.scworld.com: The ransomware group Qilin has taken credit for the cyberattack on Lee Enterprises.