Hackers exploited a SAP NetWeaver bug to deploy upgraded Auto-Color Linux malware in an attack on U.S. chemicals firm.
Cybersecurity firm Darktrace reported that threat actors exploited a SAP NetWeaver flaw, tracked as CVE-2025-31324, to deploy Auto-Color Linux malware in a U.S. chemicals firm attack.
“In April 2025, Darktrace identified an Auto-Color backdoor malware attack taking place on the network of a US-based chemicals company.” reads the report published by Darktrace.
“Over the course of three days, a threat actor gained access to the customer’s network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color malware.”
In April, ReliaQuest researchers warned that a zero-day vulnerability (CVE-2025-31324, CVSS score of 10/10), in SAP NetWeaver was potentially being exploited. The flaw in SAP NetWeaver Visual Composer Metadata Uploader stems from a lack of proper authorization checks. This means that unauthenticated attackers, those without valid credentials, can exploit it to upload malicious executable files to the system.
Once uploaded, these files can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. SAP addressed the flaw with the release of the April 2025 Security Patch Day. Researchers from ReliaQuest discovered the vulnerability while investigating multiple attacks, some of which led to the compromise of fully patched systems.
In April 2025, Darktrace detected a cyberattack on a U.S. chemicals firm involving Auto-Color malware. The attackers exploited the flaw CVE-2025-31324 in SAP NetWeaver to deploy the malware over three days.
On April 25, Darktrace detected suspicious incoming connections attempting to probe for vulnerabilities. Two days later, the attack escalated: a ZIP file was downloaded, followed by DNS requests to an out-of-band domain, often used by hackers to test or exfiltrate data. This triggered an alert for a suspicious ELF file, a common format for Linux malware.
Darktrace’s autonomous defense system quickly intervened, restricting the device’s network behavior while still allowing normal operations. Despite this, the attackers continued their attempts, eventually downloading multiple files, including a malicious script disguised as a routine configuration file.
Using these tools, the attacker executed commands, made DNS and SSL connections to external endpoints, and contacted infrastructure tied to known cyber-espionage groups. Within 24 hours, the Auto-Color malware was deployed, hidden in a fake log file.
Auto-Color is especially dangerous when run with root access. It installs a disguised system library to stay hidden and maintain control, even after restarts. It also tries to establish secure communication with a command-and-control (C2) server to receive further instructions.
Thanks to Darktrace’s rapid detection and response, the malware was blocked before it could fully activate. The security team extended automated protections for 24 more hours, giving them time to investigate and contain the threat. Without a live connection to its C2 server, the malware remained mostly dormant, highlighting its reliance on real-time operator control and evasion tactics designed to avoid detection in secure environments.
Darktrace pointed out that the threat now uses advanced evasion tactics and suppression methods to avoid detection when its kill chain is disrupted.
Auto-Color is a Linux backdoor malware first seen in 2024, targeting universities and government bodies in the US and Asia. It exploits SAP NetWeaver flaws and uses built-in system features like ld.so.preload to gain persistence. If run as root, it installs a fake system library for stealth. The malware hides in /var/log/cross/auto-color, uses TLS to reach a hardcoded C2 server, and suppresses behavior if offline, evading detection in secure or sandboxed setups.
Auto-Color supports multiple features, including command execution, reverse shell access, traffic proxying, file changes, and config updates. The malware includes a rootkit component to hide its activity from security tools.
“From initial intrusion to the failed establishment of C2 communication, the Auto-Color malware showed a clear understanding of Linux internals and demonstrated calculated restraint designed to minimize exposure and reduce the risk of detection.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
