Auto-Color Linux Malware Exploits SAP Zero-Day CVE-2025-31324

In this episode, we uncover the Auto-Color Linux malware, a stealthy and highly persistent Remote Access Trojan (RAT) that is rapidly emerging as one of the most dangerous threats of 2025. First identified by Palo Alto Networks’ Unit 42 and later analyzed by Darktrace, Auto-Color has now been linked to active exploitation of CVE-2025-31324, a critical SAP NetWeaver vulnerability with a perfect CVSS score of 10.0.This malware isn’t your average Linux RAT. It employs shared object injection, a malicious rootkit module, and privilege-aware execution, adapting its tactics depending on whether it has root access. If its Command-and-Control (C2) server is unreachable, it suppresses activity, appearing benign to analysts and evading detection in sandboxes and air-gapped environments. By hooking into /etc/ld.preload and loading implants like libcext.so.2, Auto-Color ensures deep, system-wide persistence.The exploitation of CVE-2025-31324 has been fast and widespread. Originally disclosed in April 2025, the vulnerability was already being exploited weeks earlier. Threat intelligence indicates involvement by both ransomware groups and Chinese state-sponsored APTs, with incidents ranging from university breaches to an attack on a U.S.-based chemicals company. Analysts warn that the Time-to-Exploit (TTE) window is collapsing — what used to take weeks now takes hours after disclosure.We’ll explore:How Auto-Color’s rootkit-level persistence allows attackers full remote control of Linux systems.The blurring line between nation-state operations and ransomware crews, who now share techniques and infrastructure.Why SAP NetWeaver environments are particularly high-risk targets, and how widespread CVE-2025-31324 really is.The multi-stage intrusion playbook: from phishing and DNS tunneling to webshell deployment and RAT installation.Practical mitigations, including immediate patching, anomaly-based detection, and close monitoring of /etc/ld.preload.With Auto-Color, the message is clear: patching delays can be catastrophic. As ransomware groups adopt APT-style zero-day exploitation, the security community must rethink defense speed, visibility, and collaboration.#AutoColor #LinuxMalware #SAPNetWeaver #CVE202531324 #Darktrace #Unit42 #Cybersecurity #Rootkit #APT #Ransomware #LinuxSecurity #ZeroDayExploits #SAPSecurity #IncidentResponse #ThreatIntelligence

There are no comments yet.

Please log in to write the first comment.