Darktrace, a prominent cybersecurity research organization, has reported what appears to be the first recorded instance of threat actors leveraging a severe vulnerability in SAP NetWeaver (CVE-2025-31324) to deploy a stealthy malware known as Auto-Color. This vulnerability, uncovered by SAP SE on April 24, 2025, carries a critical CVSS score of 10, posing a significant risk as it allows attackers to upload harmful files directly to the SAP NetWeaver application server, potentially leading to remote code execution and full system takeover.
The Auto-Color backdoor, which first emerged in November 2024, has been observed targeting systems predominantly in the United States and Asia, particularly within universities and government entities. This Remote Access Trojan (RAT) is named for its capability to rename itself to “/var/log/cross/auto-color” after execution. Its design enables persistent system compromise by exploiting inherent Linux functionalities such as ld.so.preload. Notably, each iteration of the malware exhibits unique characteristics due to its statically compiled and encrypted command-and-control (C2) configurations.
Attack Timeline: From SAP Exploit to Malware Delivery
Research shared with Hackread.com indicates that in April 2025, Darktrace’s Security Operations Centre (SOC) detected a multi-stage Auto-Color attack targeting a chemicals company in the US. Initial scanning for the CVE-2025-31324 vulnerability started on April 25, with active exploitation commencing two days later. This was evidenced by an incoming connection from IP address 91.193.19.109 alongside a ZIP file download signaling the exploitation process.
On April 27 and 28, the compromised device initiated suspicious DNS queries directed at Out-of-Band Application Security Testing (OAST) domains, a tactic often employed for vulnerability assessments or data tunneling. Approximately ten hours after the initial breach, a shell script was downloaded, followed by connections to a known C2 platform. The subsequent download of the Auto-Color ELF malware file marked a critical juncture, as this was the first documented connection between exploitation of the SAP NetWeaver vulnerability and the deployment of Auto-Color malware.
AI-Powered Security Mitigates Intrusion
In response, Darktrace’s AI-driven Autonomous Response capability intervened swiftly, implementing a “pattern of life” on the affected device for 30 minutes starting April 28. This approach successfully curtailed further malicious activities while enabling normal business operations. The incident triggered multiple alerts, prompting an immediate investigation through Darktrace’s Managed Detection and Response (MDR) service.
With the situation under scrutiny, Darktrace extended its autonomous response measures for an additional 24 hours. This extension provided the customer’s security team invaluable time for thorough investigation and remediation efforts. This incident underscores the urgency of addressing disclosed vulnerabilities; despite official notifications, threats such as CVE-2025-31324 continue to be actively exploited, leading to risks of ongoing attacks.
Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, emphasizes immediate action is essential. Organizations must patch their SAP NetWeaver systems against CVE-2025-31324 or, if patching is unfeasible, halt public exposure of these systems and bolster security measures with a zero-trust architecture. Dani warns that without prompt intervention, firms remain vulnerable to sophisticated, multi-stage threats.
This incident exemplifies the power of AI in identifying and mitigating cybersecurity risks swiftly and effectively, demonstrating how advanced detection methods can protect organizations from evolving and persistent threats.
