Threat actors recently tried to exploit a freshly patched max-severity SAP Netweaver flaw to deploy a persistent Linux remote access trojan (RAT) “Auto-Color.”
According to a Darktrace report, a recent attack abused the flaw to set up a stealthy advanced-stage compromise but was shortly contained by its “autonomous response.”
“In April 2025, Darktrace identified an Auto-Color backdoor malware attack taking place on the network of a US-based chemicals company,” Darktrace said in a blog post shared with CSO ahead of its publication on Tuesday. “After Darktrace successfully blocked the malicious activity and contained the attack, the Darktrace Threat Research team conducted a deeper investigation into the malware, (revealing) that the threat actor had exploited CVE-2025-31324 to deploy Auto-Color as part of a multi-stage attack.”
Darktrace confirmed it as the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware. Previously, the flaw was reported to have been likely exploited in zero-day attacks to install JSP web shells on SAP servers.
Frankie Sclafani, director of cybersecurity enablement at Deepwatch, said the finding warrants immediate attention from organizations. “The dangerous convergence of a critical SAP vulnerability with the elusive Auto-Color backdoor malware to target critical infrastructure signals a disturbing new chapter in cyber threats,” he added. “The security community should proactively monitor for this activity and foster collaborative intelligence sharing to further understand and counter the threat actor’s methods.”
