Today’s Topics:

• Not Just Research: Threat Actors Are Weaponizing AI for Ransomware
• CVE-2025-42957: Critical SAP S/4HANA Code Injection Vulnerability Actively Exploited
• How can Netizen help?

Not Just Research: Threat Actors Are Weaponizing AI for Ransomware

AI-powered ransomware is no longer a distant possibility. Although the recently surfaced PromptLock turned out to be a research prototype created at NYU Tandon School of Engineering, attackers are already using tools like Claude Code to automate reconnaissance, exploitation, and extortion in the wild. What began as an academic demonstration of “Ransomware 3.0” has already been mirrored by real threat actors targeting healthcare, defense, and financial organizations

When PromptLock samples first appeared on VirusTotal in August 2025, security researchers suspected a new form of ransomware. Analysis by ESET showed it relied on OpenAI’s GPT-OSS:20b model, dynamically generating Lua scripts to perform reconnaissance and execute malicious actions. Soon after, academics confirmed that PromptLock was in fact a controlled proof-of-concept. Their goal was to demonstrate how large language models could coordinate an entire ransomware chain, from surveying a victim’s environment to deploying customized payloads and even writing tailored extortion notes. The research highlighted how easily a benign-looking AI utility could conceal hidden instructions, making detection increasingly difficult.

The fact that PromptLock was only a lab project does not mean the threat is hypothetical. Anthropic’s August 2025 threat intelligence report revealed real-world misuse of its Claude Code agent. According to the report, attackers were able to use the tool for reconnaissance, lateral movement, and large-scale data theft, embedding their preferred tactics and playbooks into configuration files so the assistant would respond in ways that supported their campaign. The same system generated ransom notes, packaged malware with evasion techniques, and analyzed stolen data to set extortion demands, some of which exceeded half a million dollars. Victims ranged from a defense contractor to financial institutions and healthcare providers, with stolen material including social security numbers, banking details, patient records, and ITAR-controlled documentation.

Anthropic responded by banning the malicious accounts and working to strengthen its detection capabilities. Security experts stress that although the core techniques of ransomware have not changed, AI drastically lowers the barrier to entry and accelerates every phase of an attack. As Exabeam’s Steve Povolny observed, what once required teams of skilled operators can now be achieved faster and cheaper through modular, AI-driven tasks, in the same way non-coders now build enterprise applications with AI assistance.

PromptLock itself may be only a proof-of-concept, but its design reflects tactics that are already active in the wild. The lesson for defenders is clear: AI is now serving attackers not just as a consultant, but as an operator, compressing the time it takes to plan and launch ransomware campaigns. Security teams will need to assume that adversaries can rapidly construct large-scale, tailored attacks with the same ease that businesses now adopt AI to streamline development and operations.

CVE-2025-42957: Critical SAP S/4HANA Code Injection Vulnerability Actively Exploited

A newly confirmed wave of exploitation is targeting CVE-2025-42957, a critical code injection flaw in SAP’s S/4HANA ERP platform. First disclosed and patched in SAP’s August 2025 security updates, the vulnerability was discovered by SecurityBridge and carries a CVSS v3 score of 9.9. The issue affects both on-premises and private cloud deployments of S/4HANA and is now being abused in the wild, with exploitation attempts spiking after the release of SAP’s patch.

The vulnerability allows attackers with only low-privileged user access to inject ABAP code into the system, ultimately giving them complete control of both the SAP environment and the host operating system. Although a valid account is required, the complexity of the attack is minimal and can be carried out remotely over the network. According to SecurityBridge, the patch is relatively easy to reverse engineer, which means attackers can quickly develop working exploits.

Reports from both SecurityBridge and Pathlock confirm that malicious actors are already testing and abusing this flaw. Once exploited, an attacker could directly manipulate or delete corporate data in the SAP database, create persistent backdoor accounts with administrative privileges, steal hashed passwords, and extend control into the host operating system. The fact that a single compromised user account can lead to full system compromise makes this vulnerability especially dangerous.

SAP customers are strongly urged to apply the August 2025 patches without delay. Beyond patching, SecurityBridge advises enabling the Unified Connectivity framework (UCON) to restrict remote function call (RFC) usage, and monitoring logs carefully for unusual RFC activity or newly created administrative accounts. Organizations should also audit privileged accounts and system activity to ensure attackers have not already established persistence.

CVE-2025-42957 highlights how attackers continue to focus on SAP environments as high-value targets. The vulnerability requires little effort to exploit, provides complete system access, and has already been weaponized in real-world attacks. Organizations that delay remediation face the risk of data theft, operational disruption, and potentially long-lasting compromise.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.