There’s a new cybersecurity incident, where hackers have exploited a newly discovered vulnerability in SAP’s NetWeaver software to deploy a stealthy Linux backdoor called Auto-Color. According to the report from Darktrace, the attack targeted a US-based chemicals company in April 2025. Over the course of three days, threat actors breached the company’s network and attempted to download multiple suspicious files.
While Darktrace’s security systems detected and contained the intrusion before any serious damage could occur, a deeper investigation found some concerning trends.
The attackers took advantage of CVE-2025-31324, which is a critical vulnerability in SAP NetWeaver that allows remote file uploads and potential full system compromise. Just days after SAP publicly disclosed the flaw, threat actors were already exploiting it in the wild.
What makes this attack stand out is its use of the Auto-Color malware, a Linux-based Remote Access Trojan (RAT) first seen in late 2024. This is the first time researchers have observed Auto-Color being deployed via an SAP NetWeaver exploit.
Once inside the system, Auto-Color adapts its behaviour based on the level of system access it gets. If it has root privileges, it quietly plants a malicious library file in a way that gives it persistence across the entire system. It also renames itself to appear like a legitimate system log file, helping it hide in plain sight.
Furthermore, the report noted that the malware is designed to remain dormant if it can’t connect back to its command server. This tactic allows it to avoid detection in environments where internet access is limited, such as sandboxes used by security researchers.
The attack involved downloading multiple scripts and payloads, culminating in the delivery of the Auto-Color malware. However, the malware was unable to complete its mission due to Darktrace’s Autonomous Response system, which actively blocked its outbound communication attempts and isolated the infected device.
This event underlines the growing trend of attackers chaining exploits and deploying evasive malware to silently compromise enterprise systems. It also highlights how critical it is for organizations to patch high-severity vulnerabilities quickly, especially in widely used platforms like SAP.
To stay updated on the latest developments in tech, AI, and security, join our WhatsApp channel for the latest news, insights, and more.
