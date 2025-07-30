BleepingComputer reports that threat actors attempted to compromise a U.S.-based chemicals firm with an updated version of the Auto-Color Linux backdoor through the abuse of the critical SAP NetWeaver flaw, tracked as CVE-2025-31324, as part of a thwarted attack in late April.
Exploitation of the SAP NetWeaver vulnerability allowed the distribution of an ELF executable with Auto-Color, which has gained a more sophisticated detection bypass measure that quells malicious activity in the event of a failed connection with its hardcoded command-and-control server on top of its standard arbitrary command execution, dynamic configuration updating, file modification, proxy traffic forwarding, and full remote access reverse shell capabilities, according to an analysis from Darktrace. "If the C2 server is unreachable, Auto-Color effectively stalls and refrains from deploying its full malicious functionality, appearing benign to analysts. This behavior prevents reverse engineering efforts from uncovering its payloads, credential harvesting mechanisms, or persistence techniques," said Darktrace researchers.
