Threat actors have been observed exploiting a now-patched critical vulnerability in SAP NetWeaver to deploy the Auto-Color backdoor in a targeted attack against a US-based chemicals company in April 2025.
According to a report from cybersecurity firm Darktrace, the attack, which took place in mid-April, exploited CVE-2025-31324, a critical flaw in SAP NetWeaver application servers that allows attackers to upload arbitrary files, potentially leading to remote code execution and full system compromise.
The attack began with the delivery of a ZIP archive that, once unpacked, executed a shell script (config.sh) via a malicious helper.jsp file, both retrieved during the initial CVE-2025-31324 exploit phase.
The compromised server then initiated outbound connections to attacker-controlled infrastructure, eventually downloading an ELF binary responsible for deploying the Auto-Color backdoor.
Throughout the intrusion, the threat actor attempted to download several suspicious files and maintained persistent communication with command-and-control (C2) infrastructure associated with the Auto-Color malware family.
Auto-Color, first observed in the wild in November 2024, is a Remote Access Trojan (RAT) targeting Linux environments. It is named for its ability to rename itself to /var/log/cross/auto-color post-infection. Previously observed targeting academic and governmental institutions in the US and Asia, Auto-Color exploits built-in Linux features such as ld.so.preload for persistence, enabling it to inject malicious shared objects system-wide.
When executed with root privileges, Auto-Color installs a counterfeit shared object, masquerading as a system utility library. If root access is unavailable, the malware adapts by operating with limited functionality while still attempting to contact its C2 server.
If the malware fails to establish a TLS-encrypted connection to its C2 server, it suppresses most of its core functions, hindering detection and analysis.
“Darktrace’s findings indicate that CVE-2025-31324 was leveraged in this instance to launch a second-stage attack, involving the compromise of the internet-facing device and the download of an ELF file representing the Auto-Color malware—an approach that has also been observed in other cases of SAP NetWeaver exploitation,” the report notes. “From initial intrusion to the failed establishment of C2 communication, the Auto-Color malware showed a clear understanding of Linux internals and demonstrated calculated restraint designed to minimize exposure and reduce the risk of detection.”