Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.
Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics.
Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine.
The Auto-Color malware was first documented by Palo Alto Networks' Unit 42 researchers in February 2025, who highlighted its evasive nature and difficulty in eradicating once it has established a foothold on a machine.
The backdoor adjusts its behavior based on the user privilege level it runs from, and uses 'ld.so.preload' for stealthy persistence via shared object injection.
Auto-Color features capabilities such as arbitrary command execution, file modification, reverse shell for full remote access, proxy traffic forwarding, and dynamic configuration updating. It also has a rootkit module that hides its malicious activities from security tools.
Unit 42 could not discover the initial infection vector from the attacks it observed, targeting universities and government organizations in North America and Asia.
According to the latest research by Darktrace, the threat actors behind Auto-Color exploit CVE-2025-31324, a critical vulnerability in NetWeaver that allows unauthenticated attackers to upload malicious binaries to achieve remote code execution (RCE).
Timeline of the observed attack
Source: Darktrace
... continue reading