SAP NetWeaver Flaw Exploited: Auto-Color Linux Backdoor Targets US Chemical Company
Experts at Darktrace have identified a targeted cyberattack against an American chemical company, in which the perpetrators exploited a critical vulnerability in the SAP NetWeaver platform. Tracked as CVE-2025-31324, the flaw stemmed from an insecure file upload mechanism, allowing attackers to execute arbitrary code on the server without requiring authentication. Although SAP issued a patch in April, the incident occurred during the narrow window before the fix had been applied.
The attack unfolded over a span of three days. Initial signs included reconnaissance-like scanning activity directed at internet-exposed devices presumed to be running SAP NetWeaver. Soon after, it was discovered that the attackers had leveraged the vulnerability to upload a malicious ELF-format binary, identified as part of the Auto-Color malware family.
This malicious utility was first documented in February 2025 by Palo Alto Networks’ Unit 42. At the time, it was observed in campaigns targeting academic and governmental institutions across North America and Asia. Auto-Color functions as a remote access trojan, granting its operators full control over infected Linux hosts. Its feature set includes shell command execution, file creation and execution, proxy configuration manipulation, payload management, system reconnaissance, and the capability for self-erasure on command.
One of Auto-Color’s defining traits is its evasive behavior. If the malware is unable to establish a connection with its command-and-control (C2) server, it slows down or halts its activity altogether, mimicking the behavior of a benign file. This tactic enables it to slip past detection systems and arouse less suspicion during the early stages of infiltration.
During the April incident, Auto-Color failed to maintain a persistent connection with its external C2 infrastructure. Nevertheless, it exhibited advanced behavior, revealing a nuanced understanding of Linux internals and a cautious, deliberate execution strategy. Analysts believe that the malware’s authors intentionally minimized the risk of exposure by disabling active components when the C2 handshake failed.
The exploitation of a zero-day vulnerability in SAP NetWeaver underscores the growing interest among cybercriminals in targeting enterprise-grade business platforms. This is not the first instance where widely used commercial software has served as a gateway for a multi-stage, precision attack. The incident also highlights the rapid response of threat actors: only a few days elapsed between the release of the patch and the deployment of the exploit.
