Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware familyExploits CVEs in the wild

Chaya_004

Also known asChaya_004

Chaya_004 is a suspected Chinese threat actor linked by Forescout Vedere Labs to ongoing exploitation of the SAP NetWeaver Visual Composer vulnerability CVE-2025-31324. Reporting states the actor targeted vulnerable NetWeaver instances from at least late April 2025 and used web shells and backdoors, including SuperShell/Supershell, in these attacks. Forescout associated the actor with infrastructure hosting Supershell backdoors, often deployed on Chinese cloud providers, and with the use of multiple penetration-testing tools described as of Chinese origin. According to the provided reporting, Chaya_004 has been tied to large-scale compromise activity affecting SAP NetWeaver systems, with at least 581 instances reportedly backdoored, including organizations in critical infrastructure sectors in the United Kingdom, the United States, and Saudi Arabia, and with plans to target roughly 1,800 additional domains. The content characterizes Chaya_004 as a Chinese APT/threat group and notes that its activity occurred alongside other China-linked clusters also exploiting the same SAP flaw, including UNC5221, UNC5174, and CL-STA-0048.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • critical-infrastructure
  • industrial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SuperShellForescout Vedere Labs linked some of the ongoing attacks to a suspected Chinese threat actor they track as Chaya_004. The threat actor uses malicious infrastructure that includes "a network of servers hosting Supershell backdoors..."2Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-31324Unauthenticated Arbitrary File Upload in SAP NetWeaver Visual Composer Metadata UploaderIn the wildEvidence2

Ransomware groups and Chinese advanced persistent threat (APT) groups are targeting a critical vulnerability in SAP NetWeaver... The vulnerability, tracked as CVE-2025-31324, has a CVSS score of 10 and affects NetWeaver's Visual Composer development server. Threat actors can exploit the vulnerability using remote attacks to execute arbitrary code without authentication... SAP later confirmed it as an unrestricted file upload vulnerability... allowing attackers to upload malicious files directly to the system without authorization.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

China-linked intrusion activity exploiting SAP NetWeaver RCE (CVE-2025-31324) and deploying Golang-based tooling (SuperShell).

Read more
darktrace blogNews
Jun 16, 2025
Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure 

Chaya_004 is a Chinese APT group reported to be actively exploiting SAP NetWeaver CVE-2025-31324, targeting critical infrastructure and enterprise systems.

Read more
security weekNews
May 15, 2025
Ransomware Groups, Chinese APTs Exploit Recent SAP NetWeaver Flaws

Targeting SAP NetWeaver vulnerabilities for cyber-espionage, likely as part of broader Chinese APT activity.

Read more
dark readingNews
May 15, 2025
Critical SAP NetWeaver Vuln Faces Barrage of Cyberattacks

Suspected China-linked activity cluster exploiting SAP NetWeaver (CVE-2025-31324) using infrastructure hosting Supershell backdoors and various pentesting tools.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.