Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025.
“Over the course of three days, a threat actor gained access to the customer’s network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color malware,” Darktrace said in a report shared with The Hacker News.
The vulnerability in question is CVE-2025-31324, a severe unauthenticated file upload bug in SAP NetWeaver that enables remote code execution (RCE). It was patched by SAP in April.
Auto-Color, first documented by Palo Alto Networks Unit 42 earlier this February, functions akin to a remote access trojan, enabling remote access to compromised Linux hosts. It was observed in attacks targeting universities and government organizations in North America and Asia between November and December 2024.
The malware has been found to hide its malicious behavior should it fail to connect to its command-and-control (C2) server, a sign that the threat actors are looking to evade detection by giving the impression that it’s benign.
It supports various features, including reverse shell, file creation and execution, system proxy configuration, global payload manipulation, system profiling, and even self-removal when a kill switch is triggered.
The incident detected by Darktrace took place on April 28, when it was alerted to the download of a suspicious ELF binary on an internet-exposed machine likely running SAP NetWeaver. That said, initial signs of scanning activity are said to have occurred at least three days prior.
“CVE-2025-31324 was leveraged in this instance to launch a second-stage attack, involving the compromise of the internet-facing device and the download of an ELF file representing the Auto-Color malware,” the company said.
“From initial intrusion to the failed establishment of C2 communication, the Auto-Color malware showed a clear understanding of Linux internals and demonstrated calculated restraint designed to minimize exposure and reduce the risk of detection.”
