Hackers had been noticed exploiting a essential SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Coloration Linux malware in a cyberattack on a U.S.-based chemical substances firm.
Cybersecurity agency Darktrace found the assault throughout an incident response in April 2025, the place an investigation revealed that the Auto-Coloration malware had developed to incorporate extra superior evasion techniques.
Darktrace studies that the assault began on April 25, however lively exploitation occurred two days later, delivering an ELF (Linux executable) file onto the focused machine.
The Auto-Coloration malware was first documented by Palo Alto Networks’ Unit 42 researchers in February 2025, who highlighted its evasive nature and issue in eradicating as soon as it has established a foothold on a machine.
The backdoor adjusts its conduct based mostly on the consumer privilege stage it runs from, and makes use of ‘ld.so.preload’ for stealthy persistence by way of shared object injection.
Auto-Coloration options capabilities corresponding to arbitrary command execution, file modification, reverse shell for full distant entry, proxy visitors forwarding, and dynamic configuration updating. It additionally has a rootkit module that hides its malicious actions from security instruments.
Unit 42 couldn’t uncover the preliminary an infection vector from the assaults it noticed, focusing on universities and authorities organizations in North America and Asia.
In keeping with the most recent analysis by Darktrace, the risk actors behind Auto-Coloration exploit CVE-2025-31324, a essential vulnerability in NetWeaver that permits unauthenticated attackers to add malicious binaries to attain distant code execution (RCE).
.jpg)
Supply: Darktrace
SAP fastened the flaw in April 2025, whereas security corporations ReliaQuest, Onapsis, and watchTowr reported seeing lively exploitation makes an attempt, which culminated just a few days later.
By Might, ransomware actors and Chinese language state hackers had joined within the exploitation exercise, whereas Mandiant reported unearthing proof of zero-day exploitation for CVE-2025-31324 since at the least mid-March 2025.
Other than the preliminary entry vector, Darktrace additionally found a brand new evasion measure applied on the most recent model of Auto-Coloration.
If Auto-Coloration can’t connect with its hardcoded Command-and-Management (C2) server, it suppresses most of its malicious conduct. This is applicable to sandboxed and air-gapped environments, the place the malware would seem benign to analysts.
“If the C2 server is unreachable, Auto-Coloration successfully stalls and refrains from deploying its full malicious performance, showing benign to analysts,” explains Darktrace.
“This conduct prevents reverse engineering efforts from uncovering its payloads, credential harvesting mechanisms, or persistence methods.”
That is added on high of what Unit 42 documented beforehand, together with privilege-aware execution logic, use of benign filenames, hooking libc capabilities, use of a faux logs listing, C2 connections over TLS, distinctive hashes for every pattern, and the existence of a “kill swap.”
With Auto-Coloration now actively exploiting CVE-2025-31324, directors ought to act rapidly to use the security updates or mitigations supplied within the customer-only SAP bulletin.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud security drives enterprise worth.
This free, editable board report deck helps security leaders current threat, affect, and priorities in clear enterprise phrases. Flip security updates into significant conversations and sooner decision-making within the boardroom.
