July 29, 2025 By Bill Toulas
Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.
Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics.
Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine.
The Auto-Color malware was first documented by Palo Alto Networks' Unit 42 researchers in February 2025, who highlighted its evasive nature and difficulty in eradicating once it has established a foothold on a machine.
The backdoor adjusts its behavior based on the user privilege level it runs from, and uses 'ld.so.preload' for stealthy persistence via shared object injection.
