In April 2025, a sophisticated cyber-attack campaign was discovered targeting a U.S.-based chemical company. The attacker took advantage of a serious vulnerability in the SAP NetWeaver software to install Linux Auto-Color malware.

1753866787112.png

Auto-Color is a backdoor malware on the Linux platform. This malicious code has the capabilities:

  • Execute Arbitrary Command From xa
  • Edit and replace system files
  • Set reverse shell connection to take full control
  • Forward network traffic (proxy traffic)
  • Automatically update remote configuration
  • Hide from security tools via rootkit modules

The attacker took advantage of the critical vulnerability CVE-2025-31324 in SAP NetWeaver to deploy Auto-Color. This vulnerability allows unauthenticated attackers to upload executable malicious code and remotely hijack the system. SAP released a patch in April 2025, however many systems were not updated in time.

1753867135199.png

Darktrace experts discovered the incident during an investigation of a security incident in late April 2025. Auto-Color malicious code was identified to have entered the system on April 27, two days after the attack began. An ELF (Linux Executable) file has been installed on the target system.

(Darktrace is a leading cybersecurity company headquartered in the United Kingdom, best known for applying artificial intelligence (AI) and machine learning to detect and respond to cyber threats in real time).

In the new version, Auto-Color was improved to overcome either a sandbox analysis medium or an air-gapped system. If the malicious code can not connect to the control server (C2 server), it “froze operations”, pretending to do nothing, making it difficult for analysts to detect the real behavior. Experts say this helps the malicious code avoid reverse engineering, making the analysis extremely difficult.

Previous techniques of cloaking included:

  • User rights-based behavior adjustment
  • Use a legal-looking filename
  • Hook libc library functions for system intervention
  • Hide log files with a pseudo directory
  • C2 connection via TLS security protocol
  • Create a separate hash for each variant
  • There’s a kill switch to shut it down when it needs to.

The American chemical business is just one slice of the big picture. Earlier, Unit 42 had recorded Auto-Color attacking universities and government organizations in North America and Asia. By May 2025, Chinese hacking groups and the entire ransomware family had been involved in exploiting the CVE-2024-31324 vulnerability, indicating that the threat was spreading on a global scale.

Even signs of exploiting the vulnerability in the form of zero – day have appeared since mid-March 2025, even before the official patch.

Auto-Color is not a universal malware, it is a specialized custom tool for long-term espionage and sabotage campaigns. The SAP NetWeaver vulnerability (CVE-2025-31324) is a high-level serious vulnerability that allows for remote system overrunning.

Experts urgently recommend that users, should:

  • Immediate updates to the patches from SAP, especially the April 2025 patch related to CVE-20 25-31324, are presented.
  • Check the SAP system logs and Linux servers for abnormal activity, C2 connections or ld.so.preload changing behavior.
  • Use an EDR solution and a network surveillance system that analyzes behaviors rather than relying on traditional signatures alone.
  • Do not isolate Auto – Color sample analysis if you can not connect to the network, as malicious code will not fully activate the function – confusing it as a safety system.

Auto-Color is a clear example of the cyber arms race between hackers and defenders. From exploiting the SAP vulnerability to hiding in an analytical environment, this malicious code is setting a new benchmark for sophistication.

In the context of Linux systems and ERP platforms such as SAP being widely used in business, any delay in patching or lack of monitoring can become ” open-door ” for dangerous intrusion scenarios.

According to Bleeping Computer