Particle.news
Download on the App Store
6 ARTICLES
·
23h ago

Darktrace Details First Auto-Color RAT Deployment via SAP NetWeaver Flaw

The advisory reveals advanced evasion techniques that threaten unpatched SAP NetWeaver systems.

Image
Image
SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm
Image

Overview

  • Darktrace has confirmed the first documented instance of threat actors exploiting CVE-2025-31324 to deploy the Auto-Color Linux backdoor.
  • A multi-stage intrusion against a US chemicals company in April delivered a malicious ZIP file, established DNS tunnels and downloaded an ELF payload within 48 hours.
  • Auto-Color leverages ld.so.preload for stealthy persistence and stalls its malicious behavior when its command-and-control server is unreachable.
  • Security firms ReliaQuest, Onapsis and watchTowr observed active exploit attempts days after SAP patched the unauthenticated NetWeaver flaw on April 24.
  • Organizations are urged to install the April patch, isolate exposed NetWeaver instances and adopt zero-trust architectures to mitigate ongoing threats.