Update: China-Nexus APTs Exploit SAP Zero-Day to Breach Critical Infrastructure Worldwide
EclecticIQ and other security researchers have exposed a coordinated cyber-espionage campaign led by multiple China-linked APTs targeting critical infrastructure across the US, UK, and Saudi Arabia. The attackers exploited a previously unknown vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324), which allowed unauthenticated file uploads, leading to remote code execution. From there, webshells were deployed to maintain access, including a Behinder-style encrypted backdoor and a lightweight fallback shell for command execution. Infrastructure linked to the threat actors revealed logs from over 580 compromised SAP systems, with nearly 2,000 more marked as targets. The attackers focused on energy, water, medical manufacturing, and government systems—many of which were connected to industrial control environments without proper segmentation, increasing the potential impact of lateral movement and service disruption. Post-compromise actions included deployment of loaders and remote access malware, DNS beaconing, and mapping of internal networks, including cloud-connected infrastructure like AWS and VMware. Researchers confirmed that two separate SAP zero-days—CVE-2025-31324 and CVE-2025-42999—were used together in some cases to escalate access and execute code silently. Some compromised instances were already fully patched, indicating early-stage exploitation using zero-day access months before public disclosure. Using legitimate cloud services, encrypted payloads, and obfuscation tactics point to highly skilled threat actors with long-term strategic goals. With CISA adding CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, federal agencies and private sector operators are urged to apply available patches, restrict access to vulnerable services, and monitor for signs of compromise.
Horabot Phishing Campaign Targets Spanish-Speaking Users with Banking Malware
A newly observed phishing campaign actively targets Spanish-speaking Windows users in Latin America, using financial-themed email lures to distribute the Horabot malware. First identified in 2023, Horabot has reemerged in April 2025 with updated capabilities and broader reach, affecting users in Mexico, Colombia, Peru, Chile, Guatemala, and Argentina. The campaign starts with phishing emails impersonating invoices, tricking victims into opening ZIP files that lead to malicious HTML and HTA files. Once triggered, the malware uses VBScript and AutoIt to perform environment checks and gather system information, halting execution on systems running Avast or inside virtual machines. Horabot then downloads additional payloads that install a banking trojan, enabling credential theft, contact harvesting, and further lateral spread via Outlook COM automation. The malware’s functionality extends beyond banking credential theft, incorporating advanced techniques to maintain persistence and propagate itself across networks. It scans Outlook contact lists and automates the sending of phishing emails to new victims, increasing infection rates. Horabot also targets a wide range of web browsers, including Chrome, Edge, Brave, Opera, and others, extracting stored credentials and monitoring user activity. Fake pop-ups trick users into submitting login data, making it difficult to detect the theft in real time. Researchers believe the campaign is operated by a Brazil-based threat actor who has refined the malware over several years. The current wave of attacks shows increased complexity and a clear focus on Spanish-speaking regions, emphasizing the continued importance of phishing awareness and layered defenses in organizations and personal environments alike.
New PupkinStealer Uses Telegram Bot API for Stealthy Credential Theft
PupkinStealer is a newly identified information-stealing malware that emerged in April 2025, targeting Windows users across enterprise and personal environments. Developed in C# and delivered as an unsigned .NET executable, the malware uses phishing emails, fake downloads, or direct messages to trick users into executing the file. Once active, it performs a range of targeted operations: extracting saved credentials from Chromium-based browsers using the Local State file and Windows DPAPI, hijacking Telegram sessions by stealing the tdata folder, and grabbing Discord authentication tokens across all client builds by parsing LevelDB files. It also collects desktop files with extensions like PDF, TXT, SQL, JPG, and PNG, and takes a 1920×1080 JPEG screenshot of the desktop. The stolen content is sorted into user-specific folders within the %APPDATA% directory, compressed into a ZIP archive labeled with the victim's username, and then exfiltrated through Telegram’s Bot API over HTTPS, blending malicious activity with legitimate encrypted traffic. The malware includes metadata such as the victim's IP address, user profile name, and security identifier (SID) with each transmission, giving attackers detailed system context. Although it lacks persistence mechanisms or advanced anti-analysis techniques, PupkinStealer leverages the Costura[.]Fody library to embed its dependencies and increase the executable’s entropy, a basic form of obfuscation that helps it bypass some static detection heuristics. Attribution points to a developer alias “Ardent,” based on hardcoded naming patterns and code strings. Despite its simplicity, the stealer poses a serious threat due to its focused capability, stealthy exfiltration method, and abuse of trusted infrastructure. Currently, no public evidence confirms that PupkinStealer has been actively exploited in the wild. Security teams should apply multiple layers of defense, including behavioral EDR, email filtering, file execution restrictions, and monitoring for unauthorized Telegram API communications and sudden ZIP archive creation in user temp directories. The campaign also reflects a broader trend of cybercriminals using cloud-based or encrypted services to hide data theft operations from conventional security tools.
