In a three-day cyberattack this April, hackers exploited a newly disclosed SAP vulnerability to infiltrate a U.S.-based chemicals company, deploying a stealthy Linux malware known as Auto-Color backdoor.
Cybersecurity firm Darktrace says the attackers gained access through a critical flaw in SAP NetWeaver (CVE-2025-31324), allowing them to install the malware and communicate with known malicious infrastructure. The attack was stopped before significant damage occurred, thanks to the company’s autonomous defense technology, which isolated the affected systems.
A Rare Exploit-Malware Combo
The pairing of a zero-day SAP vulnerability with Auto-Color, a Remote Access Trojan (RAT) first observed late last year, is quite a unique combination. In fact, this is the first known case of the malware being delivered via SAP exploitation.
SAP disclosed the CVE-2025-31324 flaw on April 24, warning that it allowed attackers to upload files to a NetWeaver server, opening the door for remote code execution and potentially full system control. Just days later, Darktrace detected the exploit being used in the wild.
How Did the Attack Unfold?
According to Darktrace, the initial breach began on April 25 with a wave of suspicious inbound traffic probing a public-facing server. Two days later, attackers delivered a ZIP file through a crafted SAP URI, exploiting the vulnerability to plant malicious files on the system. Evidence of DNS tunneling soon followed—a technique often used to sneak data out of a network without triggering alerts.
The malware was delivered shortly after via a downloaded script that fetched and executed an ELF binary—Auto-Color’s payload—marking the full compromise of the host device.
Auto-Color: A Sophisticated Backdoor with Evasion Built In
Auto-Color is no ordinary backdoor. It renames itself to resemble a system log file and buries itself deep within Linux systems, gaining persistence by altering core system libraries. It uses a technique known as preload manipulation, allowing it to hook into nearly every application launched on the device.
But what makes Auto-Color particularly dangerous is its ability to lie dormant. If it can’t connect to its command-and-control (C2) server, typically over encrypted channels on port 44, it suppresses its behavior, avoiding detection in sandbox environments or air-gapped networks. Only when it successfully reaches its operator does it activate its full range of capabilities.
Controlled Response Averted Greater Damage
Darktrace’s Cyber AI platform detected the unusual file downloads, DNS behavior, and outbound connections early on. Its Autonomous Response system enforced a “pattern of life” on the compromised device, restricting it to normal business activity and preventing further lateral movement.
The malware’s outbound traffic to a known C2 address (146.70.41.178) was also blocked, keeping Auto-Color from initiating remote commands such as reverse shells, file execution, or proxy manipulation—features believed to be part of its modular C2 protocol.
The threat actor clearly understood Linux internals and took steps to minimize visibility, said a Darktrace spokesperson. But by identifying and containing the activity early, the security company’s systems prevented a much more damaging incident.
Final Words
This attack directly shows how quickly newly disclosed vulnerabilities can be exploited in real-world environments, especially when paired with advanced malware like Auto-Color. While the malware remains a threat, Darktrace’s fast response bought the company’s internal security team the time needed to investigate, patch, and remediate.
Security researchers warn that the Auto-Color malware is likely to continue evolving. Its stealth, adaptability, and ability to persist across reboots make it a potent weapon in the hands of threat actors, particularly those targeting high-value sectors
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: