On April 28, Darktrace, an artificial intelligence cybersecurity juggernaut, announced a historic first. They found the download of a malicious ELF binary on an internet facing machine, which is assumed to have SAP NetWeaver. This discovery highlights a cybersecurity breach that targeted multiple organizations, including universities and government entities across North America and Asia. These attacks took place from late November through early December 2024. They took advantage of a major flaw in SAP software, prompting security experts to make an emergency response.
Darktrace‘s self-learning systems pinpointed the threat within minutes. It started with an intense wave of scanning activity at least three days prior to the attack. The malware, called Auto-Color, is pretty clever though — it hides in plain sight. It does not show its dirty side until it first phones home to its command-and-control (C2) server. This tactic, in part, speaks to the advancing threat actor sophistication that sought to operate at will in an undetected manner while gaining the highest reward through system compromise.
Details of the Attack
The attack started when a threat actor infiltrated the managed customer’s network within the span of three days. They tried to download three other potentially malicious files and connected with various malicious infrastructure associated with the Auto-Color malware.
“Over the course of three days, a threat actor gained access to the customer’s network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color malware,” – Darktrace
The ELF binary downloaded onto the exposed machine constituted a second-stage attack that had already breached the device exposed to the internet. This was achieved with the help of the exploitation of this critical vulnerability, dubbed CVE-2025-31324.
“CVE-2025-31324 was leveraged in this instance to launch a second-stage attack, involving the compromise of the internet-facing device and the download of an ELF file representing the Auto-Color malware,” – Darktrace
Response from SAP and Security Experts
In light of the breach, SAP released an out-of-cycle patch for the vulnerability back in April. This precedent-setting enforcement action highlights how critical timely and effective software updates are in protecting against the ever-evolving risks of cyber threats. Darktrace noted that the malware had a surprisingly sophisticated knowledge of Linux internals. It demonstrated an impressive level of calculation and restraint to reduce the exposure and potential for detection.
“From initial intrusion to the failed establishment of C2 communication, the Auto-Color malware showed a clear understanding of Linux internals and demonstrated calculated restraint designed to minimize exposure and reduce the risk of detection,” – Darktrace
This example is a chilling reminder for all organizations to increase their cybersecurity efforts. This makes it particularly important for those running on SAP systems.
Implications for Targeted Organizations
The targeted attacks against universities and government organizations raise concerns regarding data security and operational integrity. As more institutions adopt internet-exposed systems, the likelihood of the same breach becomes much more likely.
Organizations in North America and Asia are now urged to review their network security protocols and ensure that all systems are updated with the latest patches. What Darktrace’s discovery has shown us is how quickly Auto-Color can become a threat today. They highlight the changing development of cyber threats more broadly.
