Cybersecurity firm Darktrace successfully thwarted a sophisticated Auto-Color backdoor malware attack that targeted a US-based chemicals company in April 2025, demonstrating the evolving threat landscape facing critical infrastructure organizations.
The three-day cyber intrusion, which exploited a recently disclosed SAP NetWeaver vulnerability, marks the first observed pairing of CVE-2025-31324 exploitation with Auto-Color malware.
Critical Vulnerability Exploitation
The attack began on April 25, 2025, when threat actors started probing the company’s internet-facing systems for CVE-2025-31324, a critical vulnerability in SAP NetWeaver disclosed just one day earlier on April 24.
This vulnerability allows malicious actors to upload files to SAP NetWeaver application servers, potentially leading to remote code execution and complete system compromise.
Despite SAP’s urgent disclosure, the vulnerability has been exploited across multiple systems, highlighting the rapid weaponization of newly discovered security flaws by cybercriminals.
Sophisticated Malware Deployment
The Auto-Color malware, first observed in November 2024, represents a particularly dangerous Remote Access Trojan (RAT) that primarily targets Linux systems.
Named for its ability to rename itself to “/var/log/cross/auto-color” after execution, the malware has been observed attacking universities and government institutions across the United States and Asia.
What makes Auto-Color particularly insidious is its adaptive behavior based on user privileges. When executed without root access, it operates with limited functionality to avoid detection.
However, with root privileges, it performs invasive installations, deploying a malicious shared object file disguised as a legitimate system library.
AI-Driven Detection and Response
Darktrace’s artificial intelligence-driven security platform detected the initial signs of the attack through unusual network activity patterns.
The company’s Security Operations Centre received the first alert on April 28, when suspicious ELF file downloads were detected on the compromised device.
The attack timeline revealed a methodical approach by the threat actors.
After the initial vulnerability scan, active exploitation began on April 27 with connections from malicious IP addresses and suspicious DNS tunneling requests.
The attackers downloaded multiple files before ultimately deploying the Auto-Color malware approximately 24 hours after the initial compromise.
Autonomous Response Success
Darktrace’s Autonomous Response capability proved crucial in containing the threat.
The system automatically enforced a “pattern of life” restriction on the compromised device, preventing it from deviating from expected behavior while maintaining normal business operations.
This intervention successfully blocked the malware’s attempts to establish command-and-control communication, effectively neutering its capabilities.
Industry Implications
This incident underscores the critical importance of rapid vulnerability management and advanced threat detection capabilities.
The swift exploitation of CVE-2025-31324 demonstrates how quickly cybercriminals can weaponize newly disclosed vulnerabilities, particularly those affecting widely-deployed enterprise software like SAP NetWeaver.
The successful containment by Darktrace’s AI-driven platform highlights the growing importance of autonomous security responses in defending against sophisticated, multi-stage attacks that can evolve rapidly beyond human response capabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The three-day cyber intrusion, which exploited a recently disclosed SAP NetWeaver vulnerability, marks the first observed pairing of CVE-2025-31324 exploitation with Auto-Color malware.){kind=link}