Blog
/
/
August 29, 2023

Analyzing Post-Exploitation on Papercut Servers

Dive into our analysis covering post-exploitation activity on PaperCut servers. Learn the details and impact of this attack and how to keep yourself safe!
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
29
Aug 2023

Introduction

Malicious cyber actors are known to exploit vulnerabilities in Internet-facing systems and services to gain entry to organizations’ digital environments. Keeping track of the vulnerabilities which malicious actors are exploiting is seemingly futile, with malicious actors continually finding new avenues of exploitation.  

In mid-April 2023, Darktrace, along with the wider security community, observed malicious cyber actors gaining entry to networks through exploitation of a critical vulnerability in the print management system, PaperCut. Darktrace observed two types of attack chain within its customer base, one involving the deployment of payloads to facilitate crypto-mining, and the other involving the deployment of a payload to facilitate Tor-based command-and-control (C2) communication.

Walking Through the Front Door

One of the most widely abused Initial Access methods attackers use to gain entry to an organization’s digital environment is the exploitation of vulnerabilities in Internet-facing systems and services [1]. The public disclosure of a critical vulnerability in a widely used, Internet-facing service, along with a proof of concept (POC) exploit for such vulnerability, provides malicious cyber actors with a key to the front door of countless organizations. Once malicious actors are in possession of such a key, security teams are in a race against time to patch all their vulnerable systems and services. But until organizations accomplish this, the doors are left open.

This year, the security community has seen malicious actors gaining entry to networks through the exploitation of vulnerabilities in a range of services. These services include familiar suspects, such as Microsoft Exchange and ManageEngine, along with less familiar suspects, such as PaperCut. PaperCut is a system for managing and tracking printing, copying, and scanning activity within organizations. In 2021, PaperCut was used in more than 50,000 sites across over 100 countries [2], making PaperCut a widely used print management system.

In January 2023, Trend Micro’s Zero Day Initiative (ZDI) notified PaperCut of a critical RCE vulnerability, namely CVE-2023–27350, in certain versions of PaperCut NG (PaperCut’s ‘print only’ variant) and PaperCut MF (PaperCut’s ‘extended feature’ variant) [3,4]. In March 2023, PaperCut released versions of PaperCut NG and PaperCut MF containing a fix for CVE-2023–27350 [4]. Despite this, security teams observed a surge in cases of malicious actors exploiting CVE-2023–27350 to compromise PaperCut servers in April 2023 [4-10]. This trend was mirrored in Darktrace’s customer base, where a surge in compromises of PaperCut servers was observed in April 2023.

Observed Attack Chains

In mid-April 2023, Darktrace identified two related clusters of attack chains. The attack chains within the first of these clusters involved Internet-facing PaperCut servers downloading payloads with crypto-mining capabilities from the external location, 50.19.48[.]59. While the attack chains within the second of the clusters involved Internet-facing PaperCut servers downloading payloads with Tor-based C2 capabilities from 192.184.35[.]216. The attack chains within the first cluster, which were observed on April 22, 2023, will be referred to as ‘50.19.48[.]59 chains’ and the attack chains in the second cluster, observed on April 24, 2023, will be called ‘192.184.35[.]216 chains’.

Both attack chains started with highly unusual external endpoints contacting the '/SetupCompleted' endpoint of an Internet-facing PaperCut server. These requests to the ‘/SetupCompleted’ endpoint likely represented attempts to exploit CVE-2023–27350 [10].  50.19.48[.]59 chains started with exploit connections from the external endpoint, 85.106.112[.]60, whereas 192.184.35[.]216 chains started with exploit connections from Tor nodes, such as 185.34.33[.]2.

Figure 1: Darktrace’s Advanced Search data showing likely CVE-2023-27350 exploitation activity from the suspicious, external endpoint, 85.106.112[.]60.

After the exploitation step, the two attack chains took different paths. In the 50.19.48[.]59 chains, the exploitation step was followed by the affected PaperCut server making HTTP GET requests over port 82 to the rare external endpoint, 50.19.48[.]59. In the 192.184.35[.]216 chains, the exploitation step was followed by the affected PaperCut server making an HTTP GET request over port 443 to 192.184.35[.]216.

The HTTP GET requests to 50.19.48[.]59 had Target URIs such as ‘/me1.bat’, ‘/me2.bat’, ‘/dom.zip’, ‘/mazar.bat’, and ‘/mazar.zip’, whilst the HTTP GET requests to 192.184.35[.]216 had the Target URI ‘/4591187629.exe’. The User-Agent header of the GET requests to 192.184.35[.]216 indicated that that the malicious file transfers were initiated through Microsoft’s pre-installed Background Intelligent Transfer Service (BITS).

Figure 2: Darktrace’s Advanced Search data showing a PaperCut server downloading Batch and ZIP files from 50.19.48[.]59 straight after receiving likely exploit connections from 85.106.112[.]60.
Figure 3: Darktrace’s Event Log data showing a PaperCut server downloading an executable file from 192.184.35[.]216 immediately after receiving a likely exploit connection from the Tor node, 185.34.33[.]2.

Downloads from 50.19.48[.]59 were followed by cURL GET requests to 138.68.61[.]82 and then connections to external endpoints associated with the cryptocurrency miner, Mimu (as seen in Fig 4). Downloads from 192.184.35[.]216 were followed by Python-urllib GET requests to api.ipify[.]org and long connections to Tor nodes (as seen in Fig 5).  

These facts suggest that the actor behind the 50.19.48[.]59 chains were seeking to drop cryptocurrency miners on PaperCut servers, with the intention of abusing the customer’s network to carry out resource intensive and costly cryptocurrency mining activity. Meanwhile, the actors behind the 192.184.35[.]216 chains were likely attempting to establish a Tor-based C2 channel with PaperCut servers to allow actors to further communicate with compromised devices.

Figure 4: Darktrace's Event Log data showing a PaperCut contacting 50.19.48[.]59 to download payloads, and then making a cURL request to 138.68.61[.]82 before contacting a Mimu crypto-mining endpoint.
Figure 5: Darktrace’s Event Log data showing a PaperCut server contacting 192.184.35[.]216 to download a payload, and then making connections to api.ipify[.]org and several Tor nodes.

The activities ensuing from both attack chains were varied, making it difficult to ascertain whether the activities were steps of separate attack chains, or steps of the existing 50.19.48[.]59 and 192.184.35[.]216 chains. A wide variety of activities ensued from observed 50.19.48[.]59 and 192.184.35[.]216 chains, including the abuse of pre-installed tools, such as cURL, CertUtil, and PowerShell to transfer further payloads to PaperCut servers, Cobalt Strike C2 communication, Ngrok usage, Mimikatz usage, AnyDesk usage, and in one case, detonation of the LockBit ransomware strain.

Figure 6: Diagram representing the steps of observed 50.19.48[.]59 chains.
Figure 7: Diagram representing the steps of observed 192.184.35[.]215 chains.

As the PaperCut servers that were targeted by malicious actors are Internet-facing, they regularly receive connections from unusual external endpoints. The exploit connections in the 50.19.48[.]59 and 192.184.35[.]216 chains, which originated from unusual external endpoints, were therefore not detected by Darktrace DETECT™, which relies on anomaly-based methods to detect network-based steps of an intrusion.

On the other hand, the post-exploitation steps of the 50.19.48[.]59 and 192.184.35[.]216 chains yielded ample anomaly-based detections, given that they consisted of PaperCut servers displaying highly unusual behaviors. As such Darktrace DETECT was able to successfully identify multiple chains of suspicious activity, including unusual file downloads from external endpoints and beaconing activity to rare external locations.

The file downloads from 50.19.48[.]59 observed in the 50.19.48[.]59 chains caused the following Darktrace DETECT models to breach:

- Anomalous Connection / Application Protocol on Uncommon Port

- Anomalous File / Internet Facing System File Download

- Anomalous File / Script from Rare External Location

- Anomalous File / Zip or Gzip from Rare External Location

- Device / Internet Facing Device with High Priority Alert

Figure 8: Darktrace’s Event Log data showing a PaperCut server breaching several models immediately after contacting 50.19.48[.]59.

The file downloads from 192.184.35[.]216 observed in the 192.184.35[.]216 chains caused the following Darktrace DETECT models to breach:

- Anomalous File / EXE from Rare External Location

- Anomalous File / Numeric File Download

- Device / Internet Facing Device with High Priority Alert

Figure 9: Darktrace’s Event Log data showing a PaperCut server breaching several models immediately after contacting 192.184.35[.]216.

Subsequent C2, beaconing, and crypto-mining connections in the 50.19.48[.]59 chains caused the following Darktrace DETECT models to breach:

- Anomalous Connection / New User Agent to IP Without Hostname

- Anomalous Server Activity / New User Agent from Internet Facing System

- Anomalous Server Activity / Rare External from Server

- Compromise / Crypto Currency Mining Activity

- Compromise / High Priority Crypto Currency Mining

- Compromise / High Volume of Connections with Beacon Score

- Compromise / Large Number of Suspicious Failed Connections

- Compromise / SSL Beaconing to Rare Destination

- Device / Initial Breach Chain Compromise

- Device / Large Number of Model Breaches

Figure 10: Darktrace’s Event Log data showing a PaperCut server breaching models as a result of its connections to a Mimu crypto-mining endpoint.

Subsequent C2, beaconing, and Tor connections in the 192.184.35[.]216 chains caused the following Darktrace DETECT models to breach:

- Anomalous Connection / Application Protocol on Uncommon Port

- Compromise / Anomalous File then Tor

- Compromise / Beaconing Activity To External Rare

- Compromise / Possible Tor Usage

- Compromise / Slow Beaconing Activity To External Rare

- Compromise / Uncommon Tor Usage

- Device / Initial Breach Chain Compromise

Figure 11: Darktrace’s Event Log data showing a PaperCut server breaching several models as a result of its connections to Tor nodes.

Darktrace RESPOND

Darktrace RESPOND™ was not active in any of the networks affected by 192.184.35[.]216 activity, however, RESPOND was active in some of the networks affected by 50.19.48[.]59 activity.  In those environments where RESPOND was enabled in autonomous mode, observed malicious activities resulted in intervention from RESPOND, including autonomous actions like blocking connections to specific external endpoints, blocking all outgoing traffic, and restricting affected devices to a pre-established pattern of behavior.

Figure 12: Darktrace’s Event Log data showing Darktrace RESPOND automatically performing inhibitive actions on a device in response to the device’s connection to 50.19.48[.]59.
Figure 13: Darktrace’s Event Log data showing Darktrace RESPOND automatically performing inhibitive actions on a device in response to the device’s connections to a Mimu crypto-mining endpoint.

Darktrace Cyber AI Analyst

Cyber AI Analyst autonomously investigated model breaches caused by events within these 50.19.48[.]59 and 192.184.35[.]216 chains. Cyber AI Analyst created user-friendly and detailed descriptions of these events, and then linked together these descriptions into threads representing the attack chains. Darktrace DETECT thus uncovered the individual steps of the attack chains, while Cyber AI Analyst was able to piece together the individual steps and uncover the attack chains themselves.  

Figure 14: An AI Analyst Incident entry showing the first event in a 50.19.48[.]59 chain uncovered by Cyber AI Analyst.
Figure 15: An AI Analyst Incident entry showing the second event in a 50.19.48[.]59 chain uncovered by Cyber AI Analyst.
Figure 16: An AI Analyst Incident entry showing the third event in a 50.19.48[.]59 chain uncovered by Cyber AI Analyst.
Figure 17: An AI Analyst Incident entry showing the first event in a 192.184.35[.]216 chain uncovered by Cyber AI Analyst.
Figure 18: An AI Analyst Incident entry showing the second event in a 192.184.35[.]216 chain uncovered by Cyber AI Analyst.

Conclusion

The existence of critical vulnerabilities in third-party software leaves organizations at constant risk of malicious actors breaching the perimeters of their networks. This risk can be mitigated through attack surface management and regular patching. However, this does not eliminate cyber risk entirely, meaning that organizations must be prepared for the eventuality of malicious actors getting inside their digital estate.

In April 2023, Darktrace observed malicious actors breaching the perimeters of several customer networks through exploitation of a critical vulnerability in PaperCut. Darktrace DETECT observed actors exploiting PaperCut servers to conduct a wide variety of post-exploitation activities, including downloading malicious payloads associated with cryptocurrency mining or payloads with Tor-based C2 capabilities. Darktrace DETECT created numerous model breaches based on this activity which alerted then customer’s security teams early in their development, providing them with ample time to take mitigative steps.

The successful detection of this payload delivery activity, along with the crypto-mining, beaconing, and Tor C2 activities which followed, elicited Darktrace RESPOND to take autonomous inhibitive action against the ongoing activity in those environments where it was operating in autonomous response mode.

If left to unfold, these intrusions developed in a variety of ways, in some cases leading to Cobalt Strike and ransomware activity. The detection of these intrusions in their early stages thus played a vital role in preventing malicious cyber actors from causing significant disruption.

Credit to: Sam Lister, Senior SOC Analyst, Zoe Tilsiter, Senior Cyber Analyst.

Appendices

MITRE ATT&CK Mapping

Initial Access techniques:

- Exploit Public-Facing Application (T1190)

Execution techniques:

- Command and Scripting Interpreter: PowerShell (T1059.001)

Discovery techniques:

- System Network Configuration Discovery (T1016)

Command and Control techniques

- Application Layer Protocol: Web Protocols (T1071.001)

- Encrypted Channel: Asymmetric Cryptography (T1573.002)

- Ingress Tool Transfer (T1105)

- Non-Standard Port (T1571)

- Protocol Tunneling (T1572)

- Proxy: Multi-hop Proxy (T1090.003)

- Remote Access Software (T1219)

Defense Evasion techniques:

- BITS Jobs (T1197)

Impact techniques:

- Data Encrypted for Impact (T1486)

List of Indicators of Compromise (IoCs)

IoCs from 50.19.48[.]59 attack chains:

- 85.106.112[.]60

- http://50.19.48[.]59:82/me1.bat

- http://50.19.48[.]59:82/me2.bat

- http://50.19.48[.]59:82/dom.zip

- 138.68.61[.]82

- update.mimu-me[.]cyou • 102.130.112[.]157

- 34.195.77[.]216

- http://50.19.48[.]59:82/mazar.bat

- http://50.19.48[.]59:82/mazar.zip

- http://50.19.48[.]59:82/prx.bat

- http://50.19.48[.]59:82/lol.exe  

- http://77.91.85[.]117/122.exe

- windows.n1tro[.]cyou • 176.28.51[.]151

- 77.91.85[.]117

- 91.149.237[.]76

- kernel-mlclosoft[.]site • 104.21.29[.]206

- tunnel.us.ngrok[.]com • 3.134.73[.]173

- 212.113.116[.]105

- c34a54599a1fbaf1786aa6d633545a60 (JA3 client fingerprint of crypto-mining client)

IoCs from 192.184.35[.]216 attack chains:

- 185.56.83[.]83

- 185.34.33[.]2

- http://192.184.35[.]216:443/4591187629.exe

- api.ipify[.]org • 104.237.62[.]211

- www.67m4ipctvrus4cv4qp[.]com • 192.99.43[.]171

- www.ynbznxjq2sckwq3i[.]com • 51.89.106[.]29

- www.kuo2izmlm2silhc[.]com • 51.89.106[.]29

- 148.251.136[.]16

- 51.158.231[.]208

- 51.75.153[.]22

- 82.66.61[.]19

- backmainstream-ltd[.]com • 77.91.72[.]149

- 159.65.42[.]223

- 185.254.37[.]236

- http://137.184.56[.]77:443/for.ps1

- http://137.184.56[.]77:443/c.bat

- 45.88.66[.]59

- http://5.8.18[.]237/download/Load64.exe

- http://5.8.18[.]237/download/sdb64.dll

- 140e0f0cad708278ade0984528fe8493 (JA3 client fingerprint of Tor-based client)

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-137a

[2] https://www.papercut.com/kb/Main/PaperCutMFSolutionBrief/

[3] https://www.zerodayinitiative.com/advisories/ZDI-23-233/

[4] https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

[5] https://www.trendmicro.com/en_us/research/23/d/update-now-papercut-vulnerability-cve-2023-27350-under-active-ex.html

[6] https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software

[7] https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/

[8] https://twitter.com/MsftSecIntel/status/1651346653901725696

[9] https://twitter.com/MsftSecIntel/status/1654610012457648129

[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst

More in this series

No items found.

Blog

/

Network

/

June 16, 2025

Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure 

person working on laptopDefault blog imageDefault blog image

Introduction: Exploiting SAP platforms

Global enterprises depend extensively on SAP platforms, such as SAP NetWeaver and Visual Composer, to run critical business processes worldwide. These systems; however, are increasingly appealing targets for well-resourced adversaries:

What is CVE-2025-31324?

CVE-2025-31324 affects SAP’s NetWeaver Visual Composer, a web-based software modeling tool. SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies [2]. It is commonly used by process specialists to develop application components without coding in government agencies, large enterprises, and by critical infrastructure operators [4].

CVE-2025-31324 affects SAP’s Netweaver Visual Composer Framework 7.1x (all SPS) and above [4]. The vulnerability in a Java Servlet (/irj/servlet_jsp) would enable an unauthorized actor to upload arbitrary files to the /developmentserver/metadatauploader endpoint, potentially resulting in remote code execution (RCE) and full system compromise [3]. The issue stems from an improper authentication and authorization check in the SAP NetWeaver Application Server Java systems [4].

What is the severity rating of CVE-2025-31324?

The vulnerability, first disclosed on April 24, 2025, carries the highest severity rating (CVSS v3 score: 10.0) and could allow remote attackers to upload malicious files without requiring authentication [1][5]. Although SAP released a workaround on April 8, many organizations are hesitant to take their business-critical SAP NetWeaver systems offline, leaving them exposed to potential exploitation [2].

How is CVE-2025-31324 exploited?

The vulnerability is exploitable by sending specifically crafted GET, POST, or HEAD HTTP requests to the /developmentserver/metadatauploader URL using either HTTP or HTTPS. Attackers have been seen uploading malicious files (.jsp, .java, or .class files to paths containing “\irj\servlet_jsp\irj\”), most of them being web shells, to publicly accessible SAP NetWeaver systems.

External researchers observed reconnaissance activity targeting this vulnerability in late January 2025, followed by a surge in exploitation attempts in February. The first confirmed compromise was reported in March [4].

Multiple threat actors have reportedly targeted the vulnerability, including Chinese Advanced Persistent Threats (APTs) groups Chaya_004 [7], UNC5221, UNC5174, and CL-STA-0048 [8], as well as ransomware groups like RansomEXX, also known as Storm-2460, BianLian [4] or Qilin [6] (the latter two share the same indicators of  compromise (IoCs)).

Following the initial workaround published on April 8, SAP released a security update addressing CVE-2025-31324 and subsequently issued a patch on May 13 (Security Note 3604119) to resolve the root cause of the vulnerability [4].

Darktrace’s coverage of CVE-2025-31324 exploitation

Darktrace has observed activity indicative of threat actors exploiting CVE-2025-31324, including one instance detected before the vulnerability was publicly disclosed.

In April 2025, the Darktrace Threat Research team investigated activity related to the CVE-2025-31324 on SAP devices and identified two cases suggesting active exploitation of the vulnerability. One case was detected prior to the public disclosure of the vulnerability, and the other just two days after it was published.

Early detection of CVE 2025-31324 by Darktrace

Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.
Figure 1: Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.

On April 18, six days prior to the public disclosure of CVE-2025-31324, Darktrace began to detect unusual activity on a device belonging to a logistics organization in the Europe, the Middle East and Africa (EMEA) region. Multiple IoCs observed during this incident have since been linked via OSINT to the exploitation of CVE-2025-31324. Notably, however, this reporting was not available at the time of detection, highlighting Darktrace’s ability to detect threats agnostically, without relying on threat intelligence.

The device was observed making  domain name resolution request for the Out-of-Band Application Security Testing (OAST) domain cvvr9gl9namk9u955tsgaxy3upyezhnm6.oast[.]online. OAST is often used by security teams to test if exploitable vulnerabilities exist in a web application but can similarly be used by threat actors for the same purpose [9].

Four days later, on April 22, Darktrace observed the same device, an internet-facing system believed to be a SAP device, downloading multiple executable (.exe) files from several Amazon Simple Storage Service (S3). Darktrace’s Threat Research team later found these files to be associated with the KrustyLoader  malware [23][24][25].

KrustyLoader is known to be associated with the Chinese threat actor UNC5221, also known as UTA0178, which has been reported to aggressively target devices exposed to the internet [10] [14] [15]. It is an initial-stage malware which downloads and launches a second-stage payload – Sliver C2. Sliver is a similar tool to Cobalt Strike (an open-source post-exploitation toolkit). It is used for command-and-control (C2) connections [11][12]13]. After its successful download, KrustyLoader deletes itself to evade detection.  It has been reported that multiple Chinese APT groups have deployed KrustyLoader on SAP Netweaver systems post-compromise [8].

The actors behind KrustyLoader have also been associated with the exploitation of zero-day vulnerabilities in other enterprise systems, including Ivanti devices [12]. Notably, in this case, one of the Amazon S3 domains observed (abode-dashboard-media.s3.ap-south-1.amazonaws[.]com ) had previously been investigated by Darktrace’s Threat Research team as part of their investigation into Ivanti Connect Secure (CS) and Policy Secure (PS) appliances.

In addition to the download of known malicious files, Darktrace also detected new IoCs, including several executable files that could not be attributed to any known malware families or previous attacks, and for which no corresponding OSINT reporting was available.

Post-CVE publication detection

Exploit Validation

Between April 27 and 29, Darktrace observed unusual activity from an SAP device on the network of a manufacturing customer in EMEA.

Figure 2: Darktrace / NETWORK’s detection of an SAP device performing a large volume of suspicious activity between April 27 and April 29.

The device was observed making DNS requests for OAST domains (e.g. aaaaaaaa.d06qqn7pu5a6u25tv9q08p5xhbjzw33ge.oast[.]online and aaaaaaaaaaa.d07j2htekalm3139uk2gowmxuhapkijtp.oast[.]pro), suggesting that a threat actor was testing for exploit validation [9].

Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.
Figure 3: Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.

Privilege escalation tool download attempt

One day later, Darktrace observed the same device attempting to download an executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe (SHA-1 file hash: e007edd4688c5f94a714fee036590a11684d6a3a).

Darktrace / NETWORK identified the user agents Microsoft-CryptoAPI/10.0 and CertUtil URL Agent during the connections to 23.95.123[.]5. The connections were made over port 666, which is not typically used for HTTP connections.

Multiple open-source intelligence (OSINT) vendors have identified the executable file as either JuicyPotato or SweetPotato, both Windows privilege escalation tools[16][17][18][19]. The file hash and the unusual external endpoint have been associated with the Chinese APT group Gelsemium in the past, however, many threat actors are known to leverage this tool in their attacks [20] [21].

Figure 4: Darktrace’s Cyber AI Analyst’s detection of a SAP device downloading a suspicious executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe on April 28, 2025.

Darktrace deemed this activity highly suspicious and triggered an Enhanced Monitoring model alert, a high-priority security model designed to detect activity likely indicative of compromise. As the customer was subscribed to the Managed Threat Detection service, Darktrace’s Security Operations Centre (SOC) promptly investigated the alert and notified the customer for swift remediation. Additionally, Darktrace’s Autonomous Response capability automatically blocked connections to the suspicious IP, 23.95.123[.]5, effectively containing the compromise in its early stages.

Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.
Figure 5: Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.

Conclusion

The exploitation of CVE-2025-31324 to compromise SAP NetWeaver systems highlights the persistent threat posed by vulnerabilities in public-facing assets. In this case, threat actors leveraged the flaw to gain an initial foothold, followed by attempts to deploy malware linked to groups affiliated with China [8][20].

Crucially, Darktrace demonstrated its ability to detect and respond to emerging threats even before they are publicly disclosed. Six days prior to the public disclosure of CVE-2025-31324, Darktrace detected unusual activity on a device believed to be a SAP system, which ultimately represented an early detection of the CVE. This detection was made possible through Darktrace’s behavioral analysis and anomaly detection, allowing it to recognize unexpected deviations in device behavior without relying on signatures, rules or known IoCs. Combined with its Autonomous Response capability, this allowed for immediate containment of suspicious activity, giving security teams valuable time to investigate and mitigate the threat.

Credit to Signe Zaharka (Principal Cyber Analyst), Emily Megan Lim, (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

List of IoCs

23.95.123[.]5:666/xmrigCCall/s.exe - URL- JuicyPotato/SweetPotato - high confidence

29274ca90e6dcf5ae4762739fcbadf01- MD5 file hash - JuicyPotato/SweetPotato - high confidence

e007edd4688c5f94a714fee036590a11684d6a3a - SHA-1 file hash - JuicyPotato/SweetPotato -high confidence

3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2 - SHA-256 file hash - JuicyPotato/SweetPotato -high confidence

abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/nVW2lsYsYnv58 - URL- high confidence

applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/7p3ow2ZH - URL- high confidence

applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/UUTICMm - URL- KrustyLoader - high confidence

beansdeals-static.s3.amazonaws[.]com/UsjKy - URL- high confidence

brandnav-cms-storage.s3.amazonaws[.]com/3S1kc - URL- KrustyLoader - high confidence

bringthenoiseappnew.s3.amazonaws[.]com/pp79zE - URL- KrustyLoader - high confidence

f662135bdd8bf792a941ea222e8a1330 - MD5 file hash- KrustyLoader - high confidence

fa645f33c0e3a98436a0161b19342f78683dbd9d - SHA-1 file hash- KrustyLoader - high confidence

1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60 - SHA-256 file hash- KrustyLoader - high confidence

6900e844f887321f22dd606a6f2925ef - MD5 file hash- KrustyLoader - high confidence

da23dab4851df3ef7f6e5952a2fc9a6a57ab6983 - SHA-1 file hash- KrustyLoader - high confidence

1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344 - SHA-256 file hash- KrustyLoader - high confidence

83a797e5b47ce6e89440c47f6e33fa08 - MD5 file hash - high confidence

a29e8f030db8990c432020441c91e4b74d4a4e16 - SHA-1 file hash - high confidence

72afde58a1bed7697c0aa7fa8b4e3b03 - MD5 file hash- high confidence

fe931adc0531fd1cb600af0c01f307da3314c5c9 - SHA-1 file hash- high confidence

b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8 - SHA-256 file hash- KrustyLoader - high confidence

17d65a9d8d40375b5b939b60f21eb06eb17054fc - SHA-1 file hash- KrustyLoader - high confidence

8c8681e805e0ae7a7d1a609efc000c84 - MD5 file hash- KrustyLoader - high confidence

29274ca90e6dcf5ae4762739fcbadf01 - MD5 file hash- KrustyLoader - high confidence

Darktrace Model Detections

Anomalous Connection / CertUtil Requesting Non Certificate

Anomalous Connection / CertUtil to Rare Destination

Anomalous Connection / Powershell to Rare External

Anomalous File / EXE from Rare External Location

Anomalous File / Multiple EXE from Rare External Locations

Anomalous File / Internet Facing System File Download

Anomalous File / Masqueraded File Transfer (Enhanced Monitoring)

Anomalous Server Activity / New User Agent from Internet Facing System

Compliance / CertUtil External Connection

Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring)

Compromise / Possible Tunnelling to Bin Services

Device / Initial Attack Chain Activity (Enhanced Monitoring)

Device / Suspicious Domain

Device / Internet Facing Device with High Priority Alert

Device / Large Number of Model Alerts

Device / Large Number of Model Alerts from Critical Network Device (Enhanced Monitoring)

Device / New PowerShell User Agent

Device / New User Agent

Autonomous Response Model Alerts

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena/ Network / External Threat / Antigena Suspicious File Block

Antigena/ Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena/ Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena/ Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena/ Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena/ Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Cyber AI Analyst Incidents

Possible HTTP Command and Control

Suspicious File Download

MITRE ATT&CK Mapping

Malware - RESOURCE DEVELOPMENT - T1588.001

PowerShell - EXECUTION - T1059.001

Drive-by Compromise - INITIAL ACCESS - T1189

Ingress Tool Transfer - COMMAND AND CONTROL - T1105

Application Layer Protocol - COMMAND AND CONTROL - T1071

Exploitation of Remote Services - LATERAL MOVEMENT - T1210

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - EXFILTRATION - T1048.003

References

1. https://nvd.nist.gov/vuln/detail/CVE-2025-31324

2. https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/

3. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

4. https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

5. https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

6. https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/

7. https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/

8. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9. https://portswigger.net/burp/application-security-testing/oast

10. https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure  

11. https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader

12. https://www.broadcom.com/support/security-center/protection-bulletin/krustyloader-backdoor

13. https://labs.withsecure.com/publications/new-krustyloader-variant-dropped-via-screenconnect-exploit

14. https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

15. https://thehackernews.com/2024/01/chinese-hackers-exploiting-critical-vpn.html

16. https://www.virustotal.com/gui/file/3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2

17. https://bazaar.abuse.ch/sample/3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2/

18. https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-juicypotato-hacking-tool-discovered.pdf

19. https://www.manageengine.com/log-management/correlation-rules/detecting-sweetpotato.html

20. https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/

21. https://assets.kpmg.com/content/dam/kpmg/in/pdf/2023/10/kpmg-ctip-gelsemium-apt-31-oct-2023.pdf

22. https://securityaffairs.com/177522/hacking/experts-warn-of-a-second-wave-of-attacks-targeting-sap-netweaver-bug-cve-2025-31324.html

23. https://www.virustotal.com/gui/file/b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8

24. https://www.virustotal.com/gui/file/1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60/detection

25. https://www.virustotal.com/gui/file/1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344/detection

Continue reading
About the author
Signe Zaharka
Senior Cyber Security Analyst

Blog

/

/

June 12, 2025

Modernising UK Cyber Regulation: Implications of the Cyber Security and Resilience Bill

Two individuals sitting at a desk working on a documentDefault blog imageDefault blog image

The need for security and continued cyber resilience

The UK government has made national security a key priority, and the new Cyber Security and Resilience Bill (CSRB) is a direct reflection of that focus. In introducing the Bill, Secretary of State for Science, Innovation and Technology, Peter Kyle, recognised that the UK is “desperately exposed” to cyber threats—from criminal groups to hostile nation-states that are increasingly targeting the UK's digital systems and critical infrastructure[1].

Context and timeline for the new legislation

First announced during the King’s Speech of July 2024, and elaborated in a Department for Science, Innovation and Technology (DSIT) policy statement published in April 2025, the CSRB is expected to be introduced in Parliament during the 2025-26 legislative session.

For now, organisations in the UK remain subject to the 2018 Network and Information Systems (NIS) Regulations – an EU-derived law which was drafted before today’s increasing digitisation of critical services, rise in cloud adoption and emergence of AI-powered threats.

Why modernisation is critical

Without modernisation, the Government believes UK’s infrastructure and economy risks falling behind international peers. The EU, which revised its cybersecurity regulation under the NIS2 Directive, already imposes stricter requirements on a broader set of sectors.

The urgency of the Bill is also underscored by recent high-impact incidents, including the Synnovis attack which targeted the National Health Service (NHS) suppliers and disrupted thousands of patient appointments and procedures[2]. The Government has argued that such events highlight a systemic failure to keep pace with a rapidly evolving threat landscape[3].

What the Bill aims to achieve

This Bill represents a decisive shift. According to the Government, it will modernise and future‑proof the UK’s cyber laws, extending oversight to areas where risk has grown but regulation has not kept pace[4]. While the legislation builds on previous consultations and draws lessons from international frameworks like the EU’s NIS2 directive, it also aims to tailor solutions to the UK’s unique threat environment.

Importantly, the Government is framing cybersecurity not as a barrier to growth, but as a foundation for it. The policy statement emphasises that strong digital resilience will create the stability businesses need to thrive, innovate, and invest[5]. Therefore, the goals of the Bill will not only be to enhance security but also act as an enabler to innovation and economic growth.

Recognition that AI changes cyber threats

The CSRB policy statement recognises that AI is fundamentally reshaping the threat landscape, with adversaries now leveraging AI and commercial cyber tools to exploit vulnerabilities in critical infrastructure and supply chains. Indeed, the NCSC has recently assessed that AI will almost certainly lead to “an increase in the frequency and intensity of cyber threats”[6]. Accordingly, the policy statement insists that the UK’s regulatory framework “must keep pace and provide flexibility to respond to future threats as and when they emerge”[7].

To address the threat, the Bill signals new obligations for MSPs and data centres, timely incident reporting and dynamic guidance that can be refreshed without fresh primary legislation, making it essential for firms to follow best practices.

What might change in day-to-day practice?

New organisations in scope of regulation

Under the existing Network and Information Systems (NIS) Regulations[8], the UK already supervises operators in five critical sectors—energy, transport, drinking water, health (Operators of Essential Services, OES) and digital infrastructure (Relevant Digital Service Providers, RDSPs).

The Cyber Security and Resilience Bill retains this foundation and adds Managed Service Providers (MSPs) and data centres to the scope of regulation to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains”[9]. It also grants the Secretary of State for Science, Innovation and Technology the power to add new sectors or sub‑sectors via secondary legislation, following consultation with Parliament and industry.

Managed service providers (MSPs)

MSPs occupy a central position within the UK’s enterprise information‑technology infrastructure. Because they remotely run or monitor clients’ systems, networks and data, they hold privileged, often continuous access to multiple environments. This foothold makes them an attractive target for malicious actors.

The Bill aims to bring MSPs in scope of regulation by making them subject to the same duties as those placed on firms that provide digital services under the 2018 NIS Regulations. By doing so, the Bill seeks to raise baseline security across thousands of customer environments and to provide regulators with better visibility of supply‑chain risk.

The proposed definition for MSPs is a service which:

  1. Is provided to another organisation
  2. Relies on the use of network and information systems to deliver the service
  3. Relates to ongoing management support, active administration and/or monitoring of AI systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security.
  4. Involves a network connection and/or access to the customer’s network and information systems.

Data centres

Building on the September 2024 designation of data centres as critical national infrastructure, the CSRB will fold data infrastructure into the NIS-style regime by naming it an “relevant sector" and data centres as “essential service”[10].

About 182 colocation facilities run by 64 operators will therefore come under statutory duties to notify the regulator, maintain proportionate CAF-aligned controls and report significant incidents, regardless of who owns them or what workloads they host.

New requirements for regulated organisations

Incident reporting processes

There could be stricter timelines or broader definitions of what counts as a reportable incident. This might nudge organisations to formalise detection, triage, and escalation procedures.

The Government is proposing to introduce a new two-stage incident reporting process. This would include an initial notification which would be submitted within 24 hours of becoming aware of a significant incident, followed by a full incident report which should be submitted within 72 hours of the same.

Supply chain assurance requirements

Supply chains for the UK's most critical services are becoming increasingly complex and present new and serious vulnerabilities for cyber-attacks. The recent Synnovis ransomware attacks on the NHS[11] exemplify the danger posed by attacks against the supply chains of important services and organisations. This is concerning when reflecting on the latest Cyber Security Breaches survey conducted by DSIT, which highlights that fewer than 25% of large businesses review their supply chain risks[12].

Despite these risks, the UK’s legacy cybersecurity regulatory regime does not explicitly cover supply chain risk management. The UK instead relies on supporting and non-statutory guidance to close this gap, such as the NCSC’s Cyber Assessment Framework (CAF)[13].

The CSRB policy statement acts on this regulatory shortcoming and recognises that “a single supplier’s disruption can have far-reaching impacts on the delivery of essential or digital services”[14].

To address this, the Bill would make in-scope organisations (OES and RDPS) directly accountable for the cybersecurity of their supply chains. Secondary legislation would spell out these duties in detail, ensuring that OES and RDSPs systematically assess and mitigate third-party cyber risks.

Updated and strengthened security requirements

By placing the CAF into a firmer footing and backing it with a statutory Code of Practice, the Government is setting clearer expectations about government expectations on technical standards and methods organisations will need to follow to prove their resilience.

How Darktrace can help support affected organizations

Demonstrate resilience

Darktrace’s Self-Learning AITM continuously monitors your digital estate across cloud, network, OT, email, and endpoint to detect, investigate, and autonomously respond to emerging threats in real time. This persistent visibility and defense posture helps organizations demonstrate cyber resilience to regulators with confidence.

Streamline incident reporting and compliance

Darktrace surfaces clear alerts and automated investigation reports, complete with timeline views and root cause analysis. These insights reduce the time and complexity of regulatory incident reporting and support internal compliance workflows with auditable, AI-generated evidence.

Improve supply chain visibility

With full visibility across connected systems and third-party activity, Darktrace detects early indicators of lateral movement, account compromise, and unusual behavior stemming from vendor or partner access, reducing the risk of supply chain-originated cyber-attacks.

Ensure MSPs can meet new standards

For managed service providers, Darktrace offers native multi-tenant support and autonomous threat response that can be embedded directly into customer environments. This ensures consistent, scalable security standards across clients—helping MSPs address increasing regulatory obligations.

[related-resource]

References

[1] https://www.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister

[2] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[3] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[4] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[5] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[6] https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027

[7] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[8] https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018

[9] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[10] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[11] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[12] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[13] https://www.ncsc.gov.uk/collection/cyber-assessment-framework

[14] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI