Cyber Attack cyber

US-based chemicals company

Jul 29, 2025 1 min read
US-based chemicals company

The attack involved the exploitation of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the Auto-Color backdoor malware. This allowed attackers to upload malicious files, potentially leading to remote code execution and full system compromise. The malware, Auto-Color, is highly evasive and targets Linux systems, particularly in universities and government institutions. The attack timeline included initial scanning, exploitation, suspicious DNS requests, and the download of malicious files. Darktrace's AI-driven Autonomous Response capability intervened, preventing further damage and allowing the security team to investigate and remediate the issue.

Source: https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/

TPRM report: https://scoringcyber.rankiteo.com/company/darktrace

"id": "dar238072925",
"linkid": "darktrace",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Chemicals',
                        'location': 'US',
                        'name': 'US-based chemicals company',
                        'type': 'Private'}],
 'attack_vector': 'Remote Code Execution',
 'date_detected': '2025-04-27',
 'date_publicly_disclosed': '2025-04-24',
 'description': 'Darktrace identified threat actors exploiting a critical SAP '
                'NetWeaver vulnerability (CVE-2025-31324) to deploy the '
                'evasive Auto-Color backdoor malware.',
 'impact': {'systems_affected': 'SAP NetWeaver application server'},
 'initial_access_broker': {'backdoors_established': 'Auto-Color Backdoor',
                           'entry_point': 'SAP NetWeaver vulnerability',
                           'high_value_targets': 'US-based chemicals company',
                           'reconnaissance_period': 'April 25, 2025'},
 'investigation_status': "Investigation by Darktrace's MDR service",
 'lessons_learned': 'Immediate patching and isolation of vulnerable systems '
                    'can prevent exploitation.',
 'motivation': 'To upload malicious files and execute remote code',
 'post_incident_analysis': {'corrective_actions': 'Patching and isolation of '
                                                  'vulnerable systems',
                            'root_causes': 'Exploitation of CVE-2025-31324'},
 'recommendations': 'Patch SAP NetWeaver systems against CVE-2025-31324, '
                    'isolate them, block the '
                    '/developmentserver/metadatauploader endpoint, and deploy '
                    'a zero-trust architecture.',
 'references': [{'source': 'Darktrace'}, {'source': 'Hackread.com'}],
 'response': {'containment_measures': 'AI-driven Autonomous Response '
                                      'capability',
              'incident_response_plan_activated': True,
              'remediation_measures': 'Extended Autonomous Response actions '
                                      'for 24 hours',
              'third_party_assistance': 'Darktrace SOC'},
 'title': 'Exploitation of SAP NetWeaver Vulnerability CVE-2025-31324 for '
          'Auto-Color Backdoor Malware Deployment',
 'type': 'Malware',
 'vulnerability_exploited': 'CVE-2025-31324'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.