An Auto-Color backdoor was observed launching a malware attack on the network of a U.S.-based chemicals company.In a July 29 blog, Darktrace researchers said the threat actor exploited the critical 10.0 CVE-2025-31324 as part of a multi-stage attack — the first observed pairing of an SAP NetWeaver exploitation with the Auto-Color malware.The Darktrace researchers explained that the Auto-Color backdoor malware — named after its ability to rename itself to “/var/log/cross/auto-color” after execution — was first observed in the wild in November 2024 and has been categorized as a remote access trojan (RAT). Auto-Color primarily targeted universities and government agencies in the United States and AsiaAccording to the researchers, the threat actor gained access to the customer’s network, downloaded several suspicious files and communicated with malicious infrastructure linked to the Auto-Color malware over the course of three days.Darktrace’s investigation also found that Auto-Color employed suppression tactics to cover its tracks and evade detection when it was unable to complete its kill chain.Frankie Sclafani, director of cybersecurity enablement at Deepwatch, said the team’s analysis and findings represented a significant escalation in multi-stage attack sophistication and warranted immediate attention from organizations.“The dangerous convergence of a critical SAP vulnerability with the elusive Auto-Color backdoor malware to target critical infrastructure signals a disturbing new chapter in cyber threats,” said Sclafani. “The security community should proactively monitor for this activity and foster collaborative intelligence sharing to further understand and counter the threat actor's methods.”Jonathan Stross, SAP Security Analyst at Pathlock, added that this case is a strong example of why SAP security must be integrated into broader IT security operations. Stross said traditional SAP Basis teams often lack the experience dealing with remote access trojans, which are more familiar territory for general IT and cybersecurity teams.“Addressing threats like Auto-Color backdoor malware requires cross-departmental collaboration,” said Stross. “SAP teams, IT operations, and security must work together, share expertise, and ensure SAP systems are not treated as siloed assets. Only through this kind of interdepartmental cooperation can organizations detect and respond to emerging threats more quickly and effectively.”
Network Security, Vulnerability Management, Malware
Auto-Color malware paired with SAP NetWeaver bug to launch attack

(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



