A newly documented attack on a US-based chemicals company is raising fresh concerns in the cybersecurity community, after researchers observed the first-known use of the evasive Auto-Color backdoor malware in conjunction with a critical SAP NetWeaver vulnerability, CVE-2025-31324.
Discovered and contained by Darktrace, the incident involved a multi-stage attack where threat actors used the SAP vulnerability as an entry point to deploy the Auto-Color malware on Linux systems. The backdoor then attempted to persist by hijacking system processes, but was thwarted by AI-driven detection and autonomous response.
“This is a wake-up call for every organization running SAP,” said Jonathan Stross, SAP Security Analyst at Pathlock. “Darktrace’s detailed research highlights how creatively and effectively attackers can leverage known vulnerabilities to advance along the cyber kill chain.”
A Sophisticated, Stealthy Backdoor
Auto-Color is a Remote Access Trojan (RAT) that first surfaced in November 2024. Named for its tactic of renaming itself to /var/log/cross/auto-color, it has mainly been seen targeting universities and government institutions across North America and Asia.
This latest case is a concerning escalation, as the malware is now being deployed against critical infrastructure.
Researchers found that once deployed, Auto-Color modifies the ld.so.preload configuration on Linux to load a fake library (libcext.so.2) ahead of legitimate ones, allowing it to hijack system calls and evade detection.
Jason Soroko, Senior Fellow at Sectigo, warned that this technique allows attackers to gain deep system control while remaining virtually invisible.
“The exploit requires no authentication and lets attackers upload helper scripts that pull an ELF payload which renames itself to /var/log/cross/auto-color and persists by adding a fake library called libcext.so.2 to ld.so.preload,” he explained. “Because Auto Color stays largely dormant until it can reach its command server, the initial intrusion creates almost no noise yet grants full host control and a foothold for lateral movement and data theft.”
CVE-2025-31324: A Persistent Threat
CVE-2025-31324 is a critical vulnerability (CVSS 10.0) in SAP NetWeaver’s Visual Composer Metadata Uploader. Despite patches being available since early 2025, it continues to be actively exploited in the wild.
According to Stross, this demonstrates why SAP security must not remain siloed.
“Traditional SAP Basis teams often lack the experience dealing with remote access trojans (RATs), which are more familiar territory for general IT and cybersecurity teams,” he noted. “Addressing threats, like Auto-Color backdoor malware, requires cross-departmental collaboration. SAP teams, IT operations, and security must work together, share expertise, and ensure SAP systems are not treated as siloed assets.”
A Wake-Up Call for Critical Infrastructure
Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, said the convergence of a critical SAP vulnerability with the elusive Auto-Color malware to target critical infrastructure “signals a disturbing new chapter in cyber threats.”
“Darktrace’s thorough analysis and findings reveal the first documented case of threat actors exploiting the critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware,” he added. “To counter these increasingly sophisticated and stealthy multi-stage attacks, organizations must urgently transcend conventional security paradigms and adopt AI-driven, behavioral detection, and autonomous response capabilities.”
Guidance for Security Teams
Experts agree that urgent action is needed. Soroko advised entities running SAP NetWeaver to patch immediately, disable the vulnerable endpoint (/developmentserver/metadatauploader), and restrict inbound and outbound traffic to block Auto-Color’s communication with its operators.
He also recommended proactive hunting for signs of compromise, including:
- The presence of helper.jsp or config.sh
- Unexpected ZIP uploads
- Modifications to /etc/ld.so.preload
- Creation of files like libcext.so.2 or auto-color
- Outbound traffic over ports 443 or 3232 to unknown IPs
“Prepare containment playbooks that include host isolation, credential rotation and rapid rebuild of affected systems and add network detection rules for these indicators so the organization can prove it has closed exposure,” Soroko added.
Deep Technical Countermeasures
Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, urged defenders to look at both sides of the threat: the vulnerability and the malware.
For CVE-2025-31324, he recommended:
- Immediate patching as per SAP Security Note 3604119
- Disabling the Metadata Uploader or blocking it from internet exposure if patching isn’t possible
- Adopting a zero-trust architecture
For Auto-Color, Dani advised:
- Implementing SELinux policies to prevent modifications to /etc/ld.so.preload
- Deploying file integrity monitoring (FIM) for system-critical paths
- Enforcing least privilege access and kernel hardening
- Using AppArmor or SELinux to restrict unauthorized system changes
What This Attack Means for the Industry
This real-world case underscores several pressing lessons:
- SAP systems are high-value targets. Their critical role in business operations makes them attractive to attackers.
- Evasion tactics are evolving. Auto-Color can now suppress its activity if it fails to connect to its C2 infrastructure, effectively “pretending to be asleep” to avoid sandbox detection.
- Multi-stage attacks are the new normal. A single vulnerability leads to lateral movement, persistence, and exfiltration, making response plans more complex.
- Legacy vulnerabilities remain dangerous. Despite disclosures and patches, exploitation continues due to gaps in visibility, governance, or patching processes.
A Warning Shot
“This isn’t just another Linux backdoor,” said Sclafani. “It’s a warning shot, and one the security community must take seriously.”
Darktrace’s research reveals a sharp escalation in adversary capability and intent, combining advanced evasion with critical SAP vulnerabilities to penetrate enterprise networks. As attacks like these become more sophisticated, security teams must evolve faster across departments, technologies, and mindsets.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.