Experts at Darktrace warned that hackers exploited a critical vulnerability in SAP NetWeaver (CVE-2025-31324) to deploy Linux malware Auto-Color into the network of an unnamed American chemical company.
Researchers discovered an attack in April 2025, and during the incident investigation, it was revealed that in recent months Auto-Color has changed and begun employing new methods to evade detection.
Recall that Auto-Color was first discovered by Palo Alto Networks specialists in early 2025. At that time, it was noted that the malware possesses an entire arsenal of techniques which it uses to evade detection. Among these are: using seemingly harmless file names (such as door or egg), concealing C&C communications, and employing proprietary encryption algorithms to mask communication and configuration information.
The backdoor adjusts its behavior depending on the user’s privilege level and uses ld.so.preload for covert data preservation through shared object injections.
Auto-Color is capable of: launching a reverse shell, collecting system information, creating and modifying files, running programs, using the infected machine as a proxy, and even self-destructing with the help of a special “kill switch” in the code. This last feature allows attackers to remove traces of the infection from compromised machines.
“If the command and control server is unavailable, Auto-Color effectively halts and does not engage its full malicious functionality, appearing quite harmless to analysts,” notes Darktrace. “This behavior hinders analysis and prevents the identification of specific payloads, credential theft mechanisms, or persistence methods being used.”
However, specialists from Palo Alto Networks were unable to identify the initial attack vector, which at the time targeted universities and government organizations in North America and Asia.
As experts from Darktrace have now reported, the attackers behind Auto-Color are exploiting the critical vulnerability CVE-2025-31324 in NetWeaver, which allows malicious binaries to be uploaded for remote code execution without authentication.
SAP developers patched this vulnerability in April 2025, but even then, cybersecurity specialists warned of active exploitation attempts. By May 2025, ransomware groups and Chinese “government” hackers had joined the attacks, and the company Mandiant found evidence that the vulnerability had been used as a 0-day at least since mid-March 2025.
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →