Threat actors have successfully exploited a critical vulnerability in SAP NetWeaver, specifically CVE-2025-31324, to deliver the Auto-Color backdoor malware. This attack targeted a U.S.-based chemicals company in April 2025, where the attackers took control of the network over a span of three days. According to a report from Darktrace, the threat actor attempted to download several suspicious files and established communication with malicious infrastructure linked to the Auto-Color malware.
This vulnerability, which allows for unauthenticated file uploads and remote code execution, was patched by SAP in April after being identified. Auto-Color operates similarly to a remote access trojan, enabling control over compromised Linux hosts. Its initial documentation came from Palo Alto Networks Unit 42 earlier in 2025, indicating prior targeting of universities and government organizations.
The malware is designed to remain stealthy; it conceals its malicious functions when unable to connect to its command-and-control server, attempting to reduce the likelihood of detection. Auto-Color can execute numerous tasks, including creating and executing files, configuring system proxies, and conducting system profiling, with a built-in self-removal feature activated by a kill switch.
The incident, first detected by Darktrace on April 28, involved the download of a suspicious ELF binary from a machine running SAP NetWeaver, with hints of probing activity surfacing three days earlier. Darktrace noted that the attackers used CVE-2025-31324 to launch a subsequent phase of the attack, which included compromising an internet-exposed device and downloading the Auto-Color malware.
The sophistication of the attack highlights a calculated approach by the threat actors, showcasing a deep understanding of Linux systems and an intent to minimize their exposure to detection.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
