Darktrace has recorded a targeted attack on a US chemical company, in which attackers exploited a critical vulnerability in the SAP NetWeaver platform. The threat, registered as CVE-2025-31324, consisted of an error in the file upload mechanism that allowed attackers to execute arbitrary code on the server without authentication. Although SAP released an update in April, the incident occurred at a time when the fix had not yet been installed.
The attack unfolded over three days. The first signs were reconnaissance-scan-like activity on internet-accessible devices, presumably running SAP NetWeaver. It was later discovered that the attackers had exploited the vulnerability to download a malicious executable file in ELF format, corresponding to a malware family called Auto-Color.
This malware was first described in February 2025 by Unit 42 of Palo Alto Networks. At the time, it was targeting universities and government institutions in North America and Asia. Auto-Color operates as a remote access Trojan, giving attackers full control over infected Linux hosts. Its capabilities include shell execution, file creation and execution, manipulation of system proxy settings, load management, system information gathering, and the ability to completely self-destruct on command.
One of Auto-Color’s key features is its ability to hide its activity. If a connection to the command and control server is not established, the malware slows down or even stops working altogether, mimicking a harmless file. This allows it to evade threat detection systems and arouse less suspicion in the initial penetration phase.
During the April incident, Auto-Color failed to establish a persistent connection to the external C&C infrastructure, but even in this state, it exhibited complex behavior, demonstrating a deep understanding of Linux’s internal logic and caution in its actions. According to analysts, the authors of this malware deliberately minimized the risk of detection by disabling active functions in the event of a failed connection to the C&C server.
The attack and exploitation of the Zero-Day vulnerability in SAP NetWeaver highlights attackers’ growing interest in enterprise platforms. This is not the first time that widely used commercial software has become an entry point for a multi-stage targeted attack. The incident also demonstrates the speed with which groups react after patches are released: only a few days passed between the release of the update and the use of the exploit.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
