Risk actors not too long ago tried to use a freshly patched max-severity SAP Netweaver flaw to deploy a persistent Linux distant entry trojan (RAT) “Auto-Colour.”
In response to a Darktrace report, a latest assault abused the flaw to arrange a stealthy advanced-stage compromise however was shortly contained by its “autonomous response.”
“In April 2025, Darktrace recognized an Auto-Colour backdoor malware assault going down on the community of a US-based chemical compounds firm,” Darktrace mentioned in a weblog submit shared with CSO forward of its publication on Tuesday. “After Darktrace efficiently blocked the malicious exercise and contained the assault, the Darktrace Risk Analysis group performed a deeper investigation into the malware, (revealing) that the menace actor had exploited CVE-2025-31324 to deploy Auto-Colour as a part of a multi-stage assault.”
Darktrace confirmed it as the primary noticed pairing of SAP NetWeaver exploitation with Auto-Colour malware. Beforehand, the flaw was reported to have been probably exploited in zero-day assaults to put in JSP internet shells on SAP servers.
Frankie Sclafani, director of cybersecurity enablement at Deepwatch, mentioned the discovering warrants instant consideration from organizations. “The damaging convergence of a essential SAP vulnerability with the elusive Auto-Colour backdoor malware to focus on essential infrastructure alerts a disturbing new chapter in cyber threats,” he added. “The safety neighborhood ought to proactively monitor for this exercise and foster collaborative intelligence sharing to additional perceive and counter the menace actor’s strategies.”
