Hackers had been noticed exploiting a important SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Coloration Linux malware in a cyberattack on a U.S.-based chemical compounds firm.
Cybersecurity agency Darktrace found the assault throughout an incident response in April 2025, the place an investigation revealed that the Auto-Coloration malware had developed to incorporate extra superior evasion ways.
Darktrace reviews that the assault began on April 25, however lively exploitation occurred two days later, delivering an ELF (Linux executable) file onto the focused machine.
The Auto-Coloration malware was first documented by Palo Alto Networks’ Unit 42 researchers in February 2025, who highlighted its evasive nature and problem in eradicating as soon as it has established a foothold on a machine.
The backdoor adjusts its habits based mostly on the consumer privilege degree it runs from, and makes use of ‘ld.so.preload’ for stealthy persistence through shared object injection.
Auto-Coloration options capabilities resembling arbitrary command execution, file modification, reverse shell for full distant entry, proxy visitors forwarding, and dynamic configuration updating. It additionally has a rootkit module that hides its malicious actions from safety instruments.
Unit 42 couldn’t uncover the preliminary an infection vector from the assaults it noticed, concentrating on universities and authorities organizations in North America and Asia.
Based on the newest analysis by Darktrace, the menace actors behind Auto-Coloration exploit CVE-2025-31324, a important vulnerability in NetWeaver that enables unauthenticated attackers to add malicious binaries to realize distant code execution (RCE).
.jpg)
Timeline of the noticed assault
Supply: Darktrace
SAP fastened the flaw in April 2025, whereas safety corporations ReliaQuest, Onapsis, and watchTowr reported seeing lively exploitation makes an attempt, which culminated just a few days later.
By Could, ransomware actors and Chinese language state hackers had joined within the exploitation exercise, whereas Mandiant reported unearthing proof of zero-day exploitation for CVE-2025-31324 since a minimum of mid-March 2025.
Other than the preliminary entry vector, Darktrace additionally found a brand new evasion measure applied on the newest model of Auto-Coloration.
If Auto-Coloration can not connect with its hardcoded Command-and-Management (C2) server, it suppresses most of its malicious habits. This is applicable to sandboxed and air-gapped environments, the place the malware would seem benign to analysts.
“If the C2 server is unreachable, Auto-Coloration successfully stalls and refrains from deploying its full malicious performance, showing benign to analysts,” explains Darktrace.
“This habits prevents reverse engineering efforts from uncovering its payloads, credential harvesting mechanisms, or persistence strategies.”
That is added on prime of what Unit 42 documented beforehand, together with privilege-aware execution logic, use of benign filenames, hooking libc features, use of a pretend logs listing, C2 connections over TLS, distinctive hashes for every pattern, and the existence of a “kill swap.”
With Auto-Coloration now actively exploiting CVE-2025-31324, directors ought to act rapidly to use the safety updates or mitigations supplied within the customer-only SAP bulletin.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, impression, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
