Risk actors have been noticed exploiting a now-patched crucial SAP NetWeaver flaw to ship the Auto-Coloration backdoor in an assault focusing on a U.S.-based chemical substances firm in April 2025.
“Over the course of three days, a risk actor gained entry to the client’s community, tried to obtain a number of suspicious recordsdata and communicated with malicious infrastructure linked to Auto-Coloration malware,” Darktrace stated in a report shared with The Hacker Information.
The vulnerability in query is CVE-2025-31324, a extreme unauthenticated file add bug in SAP NetWeaver that allows distant code execution (RCE). It was patched by SAP in April.
Auto-Coloration, first documented by Palo Alto Networks Unit 42 earlier this February, capabilities akin to a distant entry trojan, enabling distant entry to compromised Linux hosts. It was noticed in assaults focusing on universities and authorities organizations in North America and Asia between November and December 2024.
The malware has been discovered to cover its malicious habits ought to it fail to connect with its command-and-control (C2) server, an indication that the risk actors need to evade detection by giving the impression that it is benign.
It helps varied options, together with reverse shell, file creation and execution, system proxy configuration, world payload manipulation, system profiling, and even self-removal when a kill swap is triggered.
The incident detected by Darktrace befell on April 28, when it was alerted to the obtain of a suspicious ELF binary on an internet-exposed machine probably working SAP NetWeaver. That stated, preliminary indicators of scanning exercise are stated to have occurred at the very least three days prior.
“CVE-2025-31324 was leveraged on this occasion to launch a second-stage assault, involving the compromise of the internet-facing machine and the obtain of an ELF file representing the Auto-Coloration malware,” the corporate stated.
“From preliminary intrusion to the failed institution of C2 communication, the Auto-Coloration malware confirmed a transparent understanding of Linux internals and demonstrated calculated restraint designed to attenuate publicity and cut back the danger of detection.”
