CL-STA-0048

CL-STA-0048 is a Chinese state-backed / China-nexus APT cluster tracked by Unit 42 and linked in reporting to Chinese cyber-espionage activity. Content states it has been associated with exploitation of SAP NetWeaver Visual Composer vulnerability CVE-2025-31324 and was previously seen exploiting an Ivanti CSA zero-day. EclecticIQ linked CL-STA-0048 to the SAP activity based on tradecraft overlaps and reported overlap with post-exploitation tactics such as using ping for DNS beaconing and shared infrastructure. Reporting also notes broader industry assessments that UNC5221, UNC5174, and CL-STA-0048 are connected to China’s Ministry of State Security or affiliated private entities. In the SAP NetWeaver intrusions, CL-STA-0048 was one of several Chinese APTs targeting unpatched internet-facing systems. The group was observed issuing thousands of malicious commands to compromised NetWeaver instances for network-level discovery and SAP-specific application mapping, likely to prepare for lateral movement. EclecticIQ reported C2 traffic from compromised systems to 43.247.135[.]53, which resolved to the CL-STA-0048-linked domain sentinelones[.]com over TCP 10443, and observed reverse shell attempts to that host. The activity also included DNS-based beaconing using ping to an oastify.com subdomain shortly after reverse shell execution. The intrusions involved webshell-based post-exploitation and reconnaissance on highly connected SAP environments, including systems connected to internal ICS-adjacent networks. Victimology described in the content includes critical infrastructure and government-related entities in the UK, US, and Saudi Arabia, including natural gas distribution, water and waste utilities, medical device manufacturing, upstream oil and gas, and Saudi government ministries tied to investment and financial regulation. CL-STA-0048 is repeatedly mentioned alongside UNC5221 and UNC5174 as part of the Chinese APT activity exploiting SAP NetWeaver.