Menace actors lately tried to take advantage of a freshly patched max-severity SAP Netweaver flaw to deploy a persistent Linux distant entry trojan (RAT) “Auto-Coloration.”
In accordance with a Darktrace report, a latest assault abused the flaw to arrange a stealthy advanced-stage compromise however was shortly contained by its “autonomous response.”
“In April 2025, Darktrace recognized an Auto-Coloration backdoor malware assault going down on the community of a US-based chemical compounds firm,” Darktrace mentioned in a weblog publish shared with CSO forward of its publication on Tuesday. “After Darktrace efficiently blocked the malicious exercise and contained the assault, the Darktrace Menace Analysis crew carried out a deeper investigation into the malware, (revealing) that the risk actor had exploited CVE-2025-31324 to deploy Auto-Coloration as a part of a multi-stage assault.”
Darktrace confirmed it as the primary noticed pairing of SAP NetWeaver exploitation with Auto-Coloration malware. Beforehand, the flaw was reported to have been seemingly exploited in zero-day assaults to put in JSP internet shells on SAP servers.
Frankie Sclafani, director of cybersecurity enablement at Deepwatch, mentioned the discovering warrants quick consideration from organizations. “The damaging convergence of a important SAP vulnerability with the elusive Auto-Coloration backdoor malware to focus on important infrastructure alerts a disturbing new chapter in cyber threats,” he added. “The security neighborhood ought to proactively monitor for this exercise and foster collaborative intelligence sharing to additional perceive and counter the risk actor’s strategies.”
