Auto-Color Backdoor: How a Stealthy Linux Intrusion Was Thwarted

Description

In April 2025, an Auto-Color backdoor malware attack was detected on a US-based chemicals company's network. The threat actor exploited CVE-2025-31324 in SAP NetWeaver to gain initial access, attempted to download suspicious files, and communicated with malicious infrastructure. The attack involved multi-stage tactics, including SAP NetWeaver exploitation paired with Auto-Color malware for the first time. Auto-Color employed suppression tactics to evade detection when unable to complete its kill chain. The malware assessed privilege levels, installed a malicious shared object, manipulated preload configurations for persistence, and attempted C2 communication. AI-driven detection and response successfully identified and contained the threat, preventing further escalation.