Hackers had been noticed exploiting a important SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Colour Linux malware in a cyberattack on a U.S.-based chemical compounds firm.
Cybersecurity agency Darktrace found the assault throughout an incident response in April 2025, the place an investigation revealed that the Auto-Colour malware had advanced to incorporate extra superior evasion techniques.
Darktrace studies that the assault began on April 25, however lively exploitation occurred two days later, delivering an ELF (Linux executable) file onto the focused machine.
The Auto-Colour malware was first documented by Palo Alto Networks’ Unit 42 researchers in February 2025, who highlighted its evasive nature and issue in eradicating as soon as it has established a foothold on a machine.
The backdoor adjusts its habits primarily based on the person privilege stage it runs from, and makes use of ‘ld.so.preload’ for stealthy persistence by way of shared object injection.
Auto-Colour options capabilities akin to arbitrary command execution, file modification, reverse shell for full distant entry, proxy visitors forwarding, and dynamic configuration updating. It additionally has a rootkit module that hides its malicious actions from safety instruments.
Unit 42 couldn’t uncover the preliminary an infection vector from the assaults it noticed, focusing on universities and authorities organizations in North America and Asia.
In keeping with the most recent analysis by Darktrace, the risk actors behind Auto-Colour exploit CVE-2025-31324, a important vulnerability in NetWeaver that permits unauthenticated attackers to add malicious binaries to realize distant code execution (RCE).
.jpg)
Supply: Darktrace
SAP fastened the flaw in April 2025, whereas safety companies ReliaQuest, Onapsis, and watchTowr reported seeing lively exploitation makes an attempt, which culminated just a few days later.
By Might, ransomware actors and Chinese language state hackers had joined within the exploitation exercise, whereas Mandiant reported unearthing proof of zero-day exploitation for CVE-2025-31324 since at the least mid-March 2025.
Other than the preliminary entry vector, Darktrace additionally found a brand new evasion measure carried out on the most recent model of Auto-Colour.
If Auto-Colour can not hook up with its hardcoded Command-and-Management (C2) server, it suppresses most of its malicious habits. This is applicable to sandboxed and air-gapped environments, the place the malware would seem benign to analysts.
“If the C2 server is unreachable, Auto-Colour successfully stalls and refrains from deploying its full malicious performance, showing benign to analysts,” explains Darktrace.
“This habits prevents reverse engineering efforts from uncovering its payloads, credential harvesting mechanisms, or persistence strategies.”
That is added on prime of what Unit 42 documented beforehand, together with privilege-aware execution logic, use of benign filenames, hooking libc capabilities, use of a pretend logs listing, C2 connections over TLS, distinctive hashes for every pattern, and the existence of a “kill swap.”
With Auto-Colour now actively exploiting CVE-2025-31324, directors ought to act rapidly to use the safety updates or mitigations offered within the customer-only SAP bulletin.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
