29.07.2025
2 min
576
Cybercriminals attacked a chemical company in the US by exploiting a critical vulnerability in SAP NetWeaver (CVE-2025-31324). They delivered the Auto-Color malware, a powerful Linux malware with advanced stealth capabilities and complete control over the system, to the servers.
Cybersecurity experts Darktrace discovered the attack in April 2025. It began on April 25, and two days later, the hackers uploaded an ELF file, a Linux executable file containing the Auto-Color malware, to the server. This backdoor changes its behavior depending on the user’s rights, uses ld.so.preload for stealth, and also has a built-in rootkit that allows it to bypass system protection.
Auto-Color supports:
Execution of arbitrary commands
Modification of files
Remote access (reverse shell)
Proxy traffic
Dynamic configuration update
If the control server (C2) is unavailable, the malware simulates “innocent” behavior to avoid analysis.
Auto-Color was first described by Unit 42 (Palo Alto Networks) in February 2025. It was then discovered targeting universities and government agencies in North America and Asia. New research from Darktrace has proven that this malware is evolving: it now actively exploits SAP NetWeaver, allowing unauthorized attackers to download malicious files and execute code on remote machines.
SAP patched CVE-2025-31324 in April 2025. But in May, Chinese state hackers and ransomware groups joined the exploitation of the vulnerability. Mandiant has seen evidence of this exploit since March.
Modern attackers are not just exploiting vulnerabilities, they are improving their tools to make them less visible even in isolated environments. SAP administrators should urgently install patches to avoid infection and loss of control over Linux servers.
