Auto-Color Backdoor: How Darktrace Thwarted a Stealthy Linux Intrusion

Darktrace identified and contained an Auto-Color backdoor malware attack on a US chemicals company in April 2025, exploiting CVE-2025-31324 in SAP NetWeaver to deploy the Linux-targeting Remote Access Trojan. The attack involved downloading seven suspicious files and deploying Auto-Color malware that uses sophisticated evasion tactics including renaming itself to “/var/log/cross/auto-color” and suppressing malicious behavior when C2 connections fail. Auto-Color employs advanced persistence through ld.so.preload manipulation and shared object injection, but Darktrace’s AI-driven detection and Autonomous Response successfully blocked malicious connections and prevented the malware from completing its kill chain. This represents the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware.​​​​​​​​​​​​​​​​