A group of cybercriminals has been exploiting a critical vulnerability in SAP NetWeaver, identified as CVE-2025-31324, to deploy the Auto-Color malware on Linux systems. The attack targeted a chemical industry company based in the United States.
The incident was discovered during a security investigation conducted in April 2025, where it was found that Auto-Color was not only still active but had evolved with more sophisticated evasion techniques, making it even harder to detect.
According to the findings, the attack began on April 25, although active exploitation of the flaw occurred a few days later. At that point, the attackers managed to inject an ELF file (a common executable format on Linux), which marked the beginning of the infection.
What is the Auto-Color malware and why is it considered an advanced threat?
Auto-Color malware was first identified in February 2025 by security researchers, who classified it as a particularly difficult threat to detect and remove. Its highly evasive behavior and ability to remain hidden once a system is compromised make it a major challenge for cybersecurity teams.
One of its most striking features is its ability to adapt based on the privilege level of the user executing it. It also employs advanced persistence techniques, such as modifying the ld.so.preload file, allowing it to stealthily inject shared libraries and remain active even after system reboots.
Auto-Color comes equipped with a fairly complete set of functions for remotely controlling compromised systems. Among its capabilities are:
-
Execution of arbitrary commands
-
Modification of system files
-
Reverse shell for remote access
-
Traffic redirection via proxy
-
Dynamic configuration updates
-
A rootkit module that hides its presence from analysis tools or antivirus software
Interestingly, in the early analyzed cases, researchers were unable to determine how the malware initially infiltrated the systems. However, the attacks appeared to primarily target universities and government entities in North America and Asia.
More recently, new investigations revealed that the attackers behind Auto-Color are exploiting the CVE-2025-31324 vulnerability in SAP NetWeaver. This critical flaw allows attackers to load malicious binaries without authentication, thereby enabling remote code execution (RCE) on affected servers.
Attack Timeline (Source: Darktrace)
Read more: Vulnerability in macOS Sploitlight Leaks Apple Intelligence Data
Auto-Color Evolves with New Evasion Techniques and Continues Exploiting SAP NetWeaver
SAP released a patch to address the CVE-2025-31324 vulnerability in April 2025. However, shortly thereafter, cybersecurity firms such as ReliaQuest, Onapsis, and watchTowr began detecting active exploitation attempts, many of which escalated in the following days.
By May, ransomware groups and actors linked to Chinese state interests had joined the wave of attacks. Additionally, security researchers discovered that this flaw had been exploited as a zero-day vulnerability since at least mid-March 2025, indicating that attackers were already a step ahead before the vulnerability became publicly known.
To make matters worse, there has been a significant evolution in the evasion tactics used by Auto-Color. One of the most recent techniques involves the malware remaining passive if it cannot communicate with its command-and-control (C2) server, suppressing most of its malicious actions. This strategy is particularly effective in isolated analysis environments or sandboxes, where the malware appears harmless at first glance.
This “hibernation” mechanism prevents security analysts from easily uncovering how the malware operates, concealing its true intent—such as credential exfiltration, persistence techniques, and the loading of additional malicious modules.
This adds to a range of advanced features previously documented, including:
-
Conditional execution based on user privileges
-
Use of seemingly legitimate filenames
-
Hooking of critical functions in libc
-
Logging activity in decoy directories
-
Encrypted C2 communications via TLS
-
Unique hashes for each malware sample
-
A “kill switch” that disables its operation under certain conditions
With Auto-Color actively exploiting CVE-2025-31324, system administrators using SAP NetWeaver must act urgently. It is crucial to apply security patches or follow the mitigation measures outlined in SAP’s official advisory, available exclusively to registered customers.