Risk actors have been noticed exploiting a now-patched vital SAP NetWeaver flaw to ship the Auto-Coloration backdoor in an assault concentrating on a U.S.-based chemical substances firm in April 2025.
“Over the course of three days, a risk actor gained entry to the shopper’s community, tried to obtain a number of suspicious recordsdata and communicated with malicious infrastructure linked to Auto-Coloration malware,” Darktrace mentioned in a report shared with The Hacker Information.
The vulnerability in query is CVE-2025-31324, a extreme unauthenticated file add bug in SAP NetWeaver that permits distant code execution (RCE). It was patched by SAP in April.
Auto-Coloration, first documented by Palo Alto Networks Unit 42 earlier this February, features akin to a distant entry trojan, enabling distant entry to compromised Linux hosts. It was noticed in assaults concentrating on universities and authorities organizations in North America and Asia between November and December 2024.
The malware has been discovered to cover its malicious conduct ought to it fail to hook up with its command-and-control (C2) server, an indication that the risk actors want to evade detection by giving the impression that it is benign.
It helps varied options, together with reverse shell, file creation and execution, system proxy configuration, world payload manipulation, system profiling, and even self-removal when a kill change is triggered.
The incident detected by Darktrace occurred on April 28, when it was alerted to the obtain of a suspicious ELF binary on an internet-exposed machine possible operating SAP NetWeaver. That mentioned, preliminary indicators of scanning exercise are mentioned to have occurred at the least three days prior.
“CVE-2025-31324 was leveraged on this occasion to launch a second-stage assault, involving the compromise of the internet-facing gadget and the obtain of an ELF file representing the Auto-Coloration malware,” the corporate mentioned.
“From preliminary intrusion to the failed institution of C2 communication, the Auto-Coloration malware confirmed a transparent understanding of Linux internals and demonstrated calculated restraint designed to attenuate publicity and scale back the chance of detection.”
