Anatomy of a C2 Incident on SAP

Onapsis Research Labs Report

It is important for CISOs to understand that we have now crossed a threshold, a point of no return.


As part of our ongoing research, Onapsis released a report–CH4TTER–in April 2024 in coordination with Flashpoint that focused on how cybercriminals are increasingly seeing the value in targeting SAP applications.

This research delves into a recent real world example of SAP systems being compromised and using the systems to launch attacks on other systems. This report aims to showcase that it is now more important than ever to be engaged and ensure proper security processes and measures are in place.

On Demand Webinar


Anatomy of an Attack: Breaking Down a C2 Incident on SAP


Onapsis Research Labs observed and analyzed malicious activity detected though our global threat intelligence cloud. A system running SAP was compromised and turned into a command and control bot by injecting a malicious file via an SAP vulnerability. The C2 initiated a distributed denial of service attack involving Cloudflare.

Our team will review the details of this attack including source IP addresses, the malicious file, the installation of midnight commander, and cover the commands that were executed on the host system that included an assessment of the compromised SAP system during this session.

Report TL;DR

Dive Deeper – Access the Full Report


For the full, in-depth report, please fill out the form here to download.

Onapsis Research Labs observed and analyzed malicious activity detected though our global threat intelligence cloud. A system running SAP was compromised and turned into a command and control bot by injecting a malicious file via an SAP vulnerability. The C2 initiated a distributed denial of service attack involving Cloudflare.

In this paper we will review the details of this attack including source IP addresses, the malicious file, the installation of midnight commander, and cover the commands that were executed on the host system that included an assessment of the compromised SAP system.


Anatomy of a C2 Incident on SAP

CH4TTER: Threat Actors Attacking SAP for Profit

Onapsis and Flashpoint have joined forces to level the playfield, revealing how threat actors are attacking SAP applications. This report details new intelligence to protect SAP from ransomware and data breaches.

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.