A recently patched vulnerability in SAP NetWeaver is being actively exploited by hackers to deploy a stealthy Linux backdoor known as Auto-Color, in an attack that targeted a U.S.-based chemical company. The vulnerability, tracked as CVE-2025-31324, enables unauthenticated attackers to remotely upload and execute malicious binaries, and has become a popular attack vector for both state-linked and criminal threat actors.
Cybersecurity firm Darktrace uncovered the incident during an April 2025 investigation, confirming that attackers exploited the NetWeaver flaw to deliver the Auto-Color malware—a Linux-based backdoor first documented by Palo Alto Networks’ Unit 42 earlier this year.
“If the C2 server is unreachable, Auto-Color effectively stalls and refrains from deploying its full malicious functionality, appearing benign to analysts,” said Darktrace.
The attack began on April 25, with the malicious payload—an ELF (Executable and Linkable Format) binary—delivered two days later. Researchers observed that this new version of Auto-Color had evolved, adding evasion features specifically designed to sidestep detection and reverse engineering attempts.
Auto-Color adapts its behavior based on user privilege level and leverages ld.so.preload for stealthy persistence through shared object injection. Its capabilities include:
- Arbitrary command execution
- Reverse shell for full remote access
- File modification and dynamic configuration updates
- Proxy traffic forwarding
- Rootkit functionality to hide its presence from security tools
The malware also utilizes unique hashes for each sample, TLS-encrypted command-and-control (C2) channels, and fake logging directories to avoid drawing attention. Notably, it employs sandbox evasion by remaining dormant in environments where it cannot reach its C2 infrastructure.
Darktrace found that when Auto-Color is unable to connect with its hardcoded C2 server—such as in isolated or sandboxed environments—it suppresses almost all malicious behavior, allowing it to appear harmless during analysis.
This new finding builds on earlier Unit 42 research, which documented Auto-Color’s:
- Privilege-aware execution
- Function hooking of the libc library
- Use of benign file names
- Built-in “kill switch” functionality
Though Unit 42 could not identify the original infection vector in prior attacks, which mainly targeted universities and government entities in North America and Asia, Darktrace was able to link the infection path directly to exploitation of the CVE-2025-31324 flaw in SAP NetWeaver.
SAP issued a patch for the vulnerability in April 2025, shortly before the Darktrace investigation. However, by May, multiple cybersecurity vendors—including ReliaQuest, Onapsis, and watchTowr—had reported seeing widespread exploitation attempts. The situation escalated as ransomware operators and Chinese state-sponsored actors joined in, leveraging the same flaw.
Threat intelligence provider Mandiant later revealed that zero-day exploitation of CVE-2025-31324 had likely begun as early as mid-March 2025.
Administrators running SAP NetWeaver are urged to immediately apply the patches or follow mitigation steps outlined in SAP’s restricted-access advisory, as the malware’s rapid evolution and stealth make it particularly dangerous in enterprise environments.
