Menace actors have been noticed exploiting a now-patched vital SAP NetWeaver flaw to ship the Auto-Colour backdoor in an assault focusing on a U.S.-based chemical compounds firm in April 2025.
“Over the course of three days, a menace actor gained entry to the client’s community, tried to obtain a number of suspicious information and communicated with malicious infrastructure linked to Auto-Colour malware,” Darktrace mentioned in a report shared with The Hacker Information.
The vulnerability in query is CVE-2025-31324, a extreme unauthenticated file add bug in SAP NetWeaver that permits distant code execution (RCE). It was patched by SAP in April.
Auto-Colour, first documented by Palo Alto Networks Unit 42 earlier this February, capabilities akin to a distant entry trojan, enabling distant entry to compromised Linux hosts. It was noticed in assaults focusing on universities and authorities organizations in North America and Asia between November and December 2024.
The malware has been discovered to cover its malicious conduct ought to it fail to hook up with its command-and-control (C2) server, an indication that the menace actors wish to evade detection by giving the impression that it is benign.
It helps varied options, together with reverse shell, file creation and execution, system proxy configuration, international payload manipulation, system profiling, and even self-removal when a kill change is triggered.
The incident detected by Darktrace happened on April 28, when it was alerted to the obtain of a suspicious ELF binary on an internet-exposed machine probably operating SAP NetWeaver. That mentioned, preliminary indicators of scanning exercise are mentioned to have occurred no less than three days prior.
“CVE-2025-31324 was leveraged on this occasion to launch a second-stage assault, involving the compromise of the internet-facing machine and the obtain of an ELF file representing the Auto-Colour malware,” the corporate mentioned.
“From preliminary intrusion to the failed institution of C2 communication, the Auto-Colour malware confirmed a transparent understanding of Linux internals and demonstrated calculated restraint designed to attenuate publicity and cut back the chance of detection.”
