Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware

Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.

Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics.

Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine.

The Auto-Color malware was first documented by Palo Alto Networks’ Unit 42 researchers in February 2025, who highlighted its evasive nature and difficulty in eradicating once it has established a foothold on a machine.

The backdoor adjusts its behavior based on the user privilege level it runs from, and uses ‘ld.so.preload’ for stealthy persistence via shared object injection.

Auto-Color features capabilities such as arbitrary command execution, file modification, reverse shell for full remote access, proxy traffic forwarding, and dynamic configuration updating. It also has a rootkit module that hides its malicious activities from security tools.

Unit 42 could not discover the initial infection vector from the attacks it observed, targeting universities and government organizations in North America and Asia.

According to the latest research by Darktrace, the threat actors behind Auto-Color exploit CVE-2025-31324, a critical vulnerability in NetWeaver that allows unauthenticated attackers to upload malicious binaries to achieve remote code execution (RCE).

SAP fixed the flaw in April 2025, while security firms ReliaQuest, Onapsis, and watchTowr reported seeing active exploitation attempts, which culminated only a few days later.

By May, ransomware actors and Chinese state hackers had joined in the exploitation activity, while Mandiant reported unearthing evidence of zero-day exploitation for CVE-2025-31324 since at least mid-March 2025.

Apart from the initial access vector, Darktrace also discovered a new evasion measure implemented on the latest version of Auto-Color.

If Auto-Color cannot connect to its hardcoded Command-and-Control (C2) server, it suppresses most of its malicious behavior. This applies to sandboxed and air-gapped environments, where the malware would appear benign to analysts.

“If the C2 server is unreachable, Auto-Color effectively stalls and refrains from deploying its full malicious functionality, appearing benign to analysts,” explains Darktrace.

“This behavior prevents reverse engineering efforts from uncovering its payloads, credential harvesting mechanisms, or persistence techniques.”

This is added on top of what Unit 42 documented previously, including privilege-aware execution logic, use of benign filenames, hooking libc functions, use of a fake logs directory, C2 connections over TLS, unique hashes for each sample, and the existence of a “kill switch.”

With Auto-Color now actively exploiting CVE-2025-31324, administrators should act quickly to apply the security updates or mitigations provided in the customer-only SAP bulletin.