eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Bring Your Own Installer Technique used in Ransomware Attack
Bottom Line: A recent report by Aon’s Stroz Friedberg Incident Response Services provides details on a newly observed attack method dubbed “Bring Your Own Installer”. The technique allowed for an organization’s EDR tool to be disabled, enabling threat actors to deploy ransomware.
On May 5th, Aon's Stroz Friedberg Incident Response Services ("Stroz Friedberg") released a report on an investigation that was conducted into a ransomware attack, where threat actors were able to successfully disable SentinelOne's Endpoint Detection and Response (EDR) agent. The technique has been dubbed “Bring Your Own Installer” (BYOI) and allowed for threat actors with local administrative privileges to circumvent SentinelOne's anti-tamper features and disable the SentinelOne agent.
During the normal SentinelOne agent version change process, all previously running SentinelOne processes that were running will be terminated. Within less than one minute, the SentinelOne agent processes for the new version will start, indicating that the new SentinelOne agent version is running. The BYOI technique involves terminating the update process in between the time when the old SentinelOne agent process has been stopped and before the new SentinelOne agent process can be started.
Stroz Friedberg reports that initial access in the observed incident was the result of threat actors exploiting an un-named vulnerability within an application running on a publicly accessible server. Exploitation of the vulnerability allowed threat actors to gain local administrative privileges on the server, enabling this attack. The threat actors used a legitimate SentinelOne agent install file for a different version than what was running on the compromised server and initiated the version change process. Using the local administrator privileges that were obtained, the threat actors were able to disrupt the SentinelOne agent update process, causing the SentinelOne agent to be disabled. The threat actors were then able to deploy Babuk ransomware.
Stroz Friedberg reported this to SentinelOne, who confirmed that either enabling the local agent passphrase, or the Online Authorization feature within the SentinelOne policy would mitigate this exploit. The enable local agent passphrase feature would require passwords for upgrades, while the Online Authorization feature would remove the ability to perform local upgrades or downgrades. Stroz Friedberg confirmed that the Online Authorization feature was disabled during their testing of the exploit, and once enabled, they were unable to perform the BYOI exploit to disable the SentinelOne agent. Stroz Friedberg and SentinelOne privately reported this to other EDR vendors prior to publication.
eSentire Threat Intelligence Analysis:
Disabling EDR tools is a common technique among threat actors, with various tools designed specifically for this purpose. Two notable tools that have recently been reported on are EDRSilencer and EDRKillShifter. EDRSilencer is a red team tool that leverages the Windows Filtering Platform (WFP) in order to disrupt network communication for processes associated with EDR tools. EDRKillShifter is a tool developed by RansomHub, which utilizes a technique known as Bring Your Own Vulnerable Driver (BYOVD), exploiting vulnerabilities within legitimate drivers allowing threat actors to gain sufficient privileges to disable an EDR tool's protection. As the deployment of EDR tools within organizations is on the rise, threat actors will likely continue to adopt and develop tools and techniques that allow for security defenses to be bypassed or disabled within their attacks. This idea is underscored by the popularity of RansomHub ransomware, which is likely due to the EDRKillShifter tool being included in the toolset offered to affiliates.
Stroz Friedberg notes in their report that other EDR vendors are likely vulnerable to this exploit but indicated that they do “not have knowledge of any EDR vendor, including SentinelOne, that is currently impacted by this attack when their product is properly configured.” Although Stroz Friedberg indicated that they privately contacted other EDR vendors, they confirmed that some vendors “did not respond to the disclosure of the attack pattern”; information on received vendor responses was not shared. Organizations that deploy EDR tools within their environments should ensure that security policies for these tools are configured to prevent users updating or downgrading agents, without additional protections.
eSentire has enabled the Online Authorization feature within SentinelOne policies to MSSP customers at the global level. Organizations that are using custom policies within SentinelOne, or who manage their own SentinelOne instances, would not have received this policy update. These organizations are encouraged to enable this feature within SentinelOne if not already done, in order to protect against the BYOI attack. eSentire's Threat Intelligence team is continuing to track this story for further information and detection opportunities.
SAP Vulnerability Exploited in the Wild by Chinese Threat Actors
Bottom Line: A recent report from Forescout provides details on active exploitation of a critical SAP Netweaver vulnerability (CVE-2025-31324) by Chinese threat actors, with exploitation being used to deploy malware. Proof-of Concept exploit code is publicly available, simplifying the attack process.
On May 8th, Forescout published a report on their investigations into incidents involving both attempted and successful exploitation of a recently disclosed vulnerability CVE-2025-31324 impacting SAP NetWeaver (Visual Composer development server), version 7.50. Based on these investigations, Forescout has attributed the exploitation activity to a China-based threat actor, dubbed Chaya_004.
SAP NetWeaver provides organizations a platform to integrate data, business processes, elements, and more from a variety of sources into unified SAP environments. CVE-2025-31324 (CVSS: 10) is a critical missing authentication vulnerability that allows unauthenticated attackers to upload malicious executable binaries, potentially compromising systems running vulnerable instances of SAP NetWeaver. SAP publicly disclosed the vulnerability on April 24th and confirmed it was being actively exploited in the wild. The flaw was originally discovered by cybersecurity firm ReliaQuest, which reported its existence and exploitation to SAP, as outlined in their April 22nd publication. The report by Forescout revealed that multiple Proof-of-Concept (PoC) exploit codes had been made publicly available since April 25th, leading to a surge in exploitation attempts. To mitigate the risk of exploitation, SAP released patches for the vulnerability concurrently with its public disclosure. The vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog by CISA on April 29th.
The ReliaQuest report revealed that the attackers uploaded malicious Java Server Pages (JSP) webshells to the developmentserver’s root directory via POST requests. These JSP files aimed at gaining complete access over the compromised host, enabling the threat actor to execute malicious commands remotely, and support other post exploitation activities. The successful execution of the webshells resulted in the attackers gaining full control of the system. Post-exploitation, the attackers were observed deploying a Command-and-Control (C2) framework tool, Brute Ratel and using techniques such as Heaven’s Gate for detection evasion.
From a successful attack, Forescout discovered an IP address hosting SuperShell, a web-based reverse shell written in Go by a Chinese-speaking developer known as “tdragon6.” Further investigation revealed multiple IP addresses, primarily based in China, sharing similar infrastructure. The web interface of the identified IPs hosted several tools and GitHub repositories commonly associated with Chinese threat actors, including NPS, SuperShell, SoftEther VPN, NHAS, Asset Reconnaissance Lighthouse (ARL), Cobalt Strike, Pocassist, Gosint, and Go Simple Tunnel. Based on these investigations, Forscout believes the attackers are operating from China and have tracked the threat actor under the name Chaya_004.
eSentire Threat Intelligence Analysis:
Exploitation activity escalated rapidly following the CVE-2025-31324's disclosure and patch release. With the availability of multiple Proof-of-Concept (PoC) exploit codes shortly thereafter further resulted in the surge in exploitation attempts some of which resulted in successful compromises. Reports from ReliaQuest and Forescout highlight the continued efforts by threat actors to exploit a critical vulnerability in SAP NetWeaver, underscoring the urgent need for organizations running affected versions to promptly apply the patches provided by SAP. Organizations should prioritize patching vulnerabilities in popular applications such as SAP NetWeaver as exploitation could allow attackers to access sensitive resources and disrupt the organization’s operations.
The exact motivation of the threat actors remains unclear, as neither Forescout nor ReliaQuest reported any indicators of data exfiltration or attempts to establish persistence. Additionally, no specific information has been disclosed regarding the identities of impacted organizations. However, Forescout's report notes that the attackers targeted networks within the manufacturing sector, suggesting a wide range of possible motivations ranging from financial gains to supply chain disruption.
Organizations are recommended to do a business impact analysis and update the SAP NetWeaver to secure versions available. If not actively used, organizations are recommended to disable Visual Composer Metadata Uploader to effectively mitigate the vulnerability and prevent attackers from uploading malicious files. As the vulnerability resides in the developmentserver/metadatauploader endpoint, it is recommended to disable the application alias “developmentserver” and implement firewall rules to restrict access to the development server application URL. It is advised that administrators review any suspicious file uploads and confirm that no malicious webshells linked to the exploit have been uploaded. Implementing an effective vulnerability and patch management system, combined with a robust Endpoint Detection and Response (EDR) solution, can significantly enhance an organization’s ability to mitigate threats posed by vulnerabilities such as CVE-2025-31324.
The eSentire Threat Intelligence team has been actively tracking CVE-2025-31324's exploitation activity for additional details and detection opportunities and, has released a security advisory addressing it on April 25th, 2025. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-31324. The eSentire Tactical Threat Response team has developed new detections to identify webshells deployed via CVE-2025-31324. eSentire MDR for Network and Endpoint have detections in place to identify Brute Ratel activity and eSentire MDR for Network can detect malicious webshells.
DragonForce Ransomware Gang - From Hacktivists to High Street Extortionists
Bottom Line: SentinelOne released a report on a series of coordinated attacks targeting retailers within the United Kingdom, observed in April and May 2025. The reported attacks have resulted in the deployment of DragonForce ransomware.
On May 2nd, SentinelOne released a report indicating that the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks, causing major service disruptions. Well-known retailers like Harrods, Marks and Spencer, and the Co-Op have all reported incidents impacting payment systems, inventory management, payroll, and other essential business operations. DragonForce has been associated with several significant cyber incidents, including attacks on the Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola in Singapore, the Ohio State Lottery, and Yakult in Australia. The ransomware group is focused on financial gain via extortion. They have targeted retail, government institutions, commercial enterprises, law firms, medical practices, and various organizations in Israel, India, Saudi Arabia, and the United Kingdom. Attacks are often aligned with specific political causes.
DragonForce typically gains initial access through phishing emails, exploiting known vulnerabilities, or using stolen or leaked credentials to compromise Internet-facing systems. They use tools like Cobalt Strike and various Commercial Off-The-Shelf (COTS) applications to manage their campaigns, which includes launching additional payloads and implants. To gain elevated privileges and maintain persistence, DragonForce employs tools such as Mimikatz, Advanced IP Scanner, PingCastle, and various remote management tools.
The following vulnerabilities—CVE-2021-44228, CVE-2023-46805, CVE-2024-21887, CVE-2024-21412, CVE-2024-21893—have been specifically linked to DragonForce intrusions. Their ransomware payloads were originally based on the leaked LockBit (LockBit 3.0/Black) builder. However, the group has since updated its source code, creating a more customized variant based on the Conti v3 codebase.
DragonForce has also launched a white-label branding service that allows affiliates to present the ransomware under a different name for an additional fee. Additionally, a new expansion of DragonForce's services includes RansomBay leak sites, where affiliates can host data stolen from victims.
eSentire Threat Intelligence Analysis:
DragonForce's recent attacks on UK retail chains highlight a tactical shift toward targeting high-revenue sectors with critical operational dependencies. Their victimology spans government, healthcare, legal, and now retail sectors, indicating opportunistic targeting with a preference for impact and visibility. Retail chains, especially ones involved in complex supply chains and customer-facing operations, offer a combination of high value and high visibility, making them attractive targets for threat actors like DragonForce. With these critical business dependencies, organizations are pressured to prioritize quick negotiations and payment, giving threat actors like DragonForce the leverage they need to maximize ransom payouts. Disruptions to payment systems, inventory management, and payroll processing, as seen in the recent UK attacks, have the potential to cripple operations and add pressure on victim organizations to pay ransom demands.
According to the report, the DragonForce ransomware gang has been offering services to other threat actors by launching their own platform. This is evident in the UK retail attacks, which have been linked to an individual associated with the loosely affiliated threat actor group known as ‘The Com’. There are claims that members of this group are utilizing DragonForce ransomware. Scattered Spider (aka 0ktapus, UNC3944 and Octo Tempest) is a threat actor group that is purportedly made up of young adults residing in the United Kingdom and the United States, and overlaps with The Coms Tactics, Techniques, and Procedures (TTPs). Members of the group gained notoriety following the compromise of over 130 organizations in 2022 including Twilio, DoorDash, Mailchimp and LastPass, followed by attacks against MGM Resorts and Caesars Entertainment in 2023. Public information indicates that Caesars Entertainment had paid half of the 30-million-dollar ransom demand that was made to them. In the context of the report by SentinelOne, The Com may have found it advantageous to align with DragonForce, given the sophisticated ransomware capabilities and multi-extortion model DragonForce employs. This collaboration likely helps The Com scale up their attack operations and leverage the infrastructure, tools, and resources DragonForce has developed, allowing for increased reach and impact. The wave of attacks against UK businesses highlights the need for strong cybersecurity practices and policies, along with well-developed incident response procedures. It is essential to implement a proactive security posture that includes regular patch management, Phishing Security and Awareness Training (PSAT), Multi-Factor Authentication (MFA), and continuous monitoring for suspicious activity. Additionally, organizations must maintain well-documented and routinely tested incident response plans to ensure rapid containment, investigation, and recovery in the event of a cyberattack.
In response to the release of this report, the eSentire Threat Intelligence team is actively monitoring this topic and exploring new detection opportunities. The eSentire Threat Intelligence team has performed threat hunts across the customer base. eSentire's Managed Vulnerability Service (MVS) has plugins for the vulnerabilities listed in the report.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
