In April 2025, a threat actor exploited CVE-2025-31324, a critical vulnerability in SAP NetWeaver, to deploy the Auto-Color backdoor malware on a US-based chemical company's network. The intrusion began with suspicious ZIP file downloads and DNS tunneling to test exploitability, eventually delivering an ELF binary representing Auto-Color. This marked the first known instance of SAP NetWeaver exploitation being paired with Auto-Color malware, which is tailored for Linux systems. The malware’s behavior adapts based on privilege level: if executed with root access, it installs a malicious shared object (libcext.so.2) and modifies /etc/ld.so.preload for persistent system-wide hooking.
Auto-Color attempts outbound TLS communication with a hardcoded C2 IP, stalling its full functionality if the connection fails—a tactic designed to evade sandbox analysis and detection. When active, it supports a modular command structure that includes reverse shell access, payload execution, and a kill switch. The malware masquerades as legitimate system files, renames itself to mimic log data, and employs advanced evasion techniques such as dynamic linker abuse and delayed payload activation.