Auto-color
Auto-color is a Linux backdoor first reported by Palo Alto Networks Unit 42 in late 2024. It provides full remote access to compromised systems and has been observed targeting universities, educational institutions, government offices, and government entities in North America and Asia. The malware appears to require explicit execution of the initial binary on a Linux host, though later reporting also states it has been delivered through exploitation of SAP NetWeaver, including CVE-2025-31324, in attacks such as a reported intrusion against a U.S. company.
Auto-color uses benign-looking filenames and has been observed masquerading as a legitimate PAM library under the filename pamssod. During installation, if executed with root privileges, it copies itself to /var/log/cross/auto-color, installs a malicious shared library named libcext.so.2, and writes that library into /etc/ld.preload for persistence and evasion. The implant is designed to mimic a legitimate library name and hooks libc open-family functions to intercept access to /proc/net/tcp, filtering entries tied to configured ports or remote IPs to hide command-and-control activity. This network-hiding technique has been described as similar to Symbiote. The malware also deletes its original executable and may use alternate benign filenames such as door and egg.
Configuration data is stored in encrypted form either in external files such as /tmp/cross/config-err-XXXXXXXX or /var/log/cross/config-err-XXXXXXXX, or embedded in the binary. The malware uses a proprietary stream-cipher-like decryption routine rather than standard algorithms for this configuration payload. Auto-color communicates with attacker infrastructure using a custom binary protocol over TCP, including observed command-and-control IPs on port 443, and performs an initial handshake requiring the server to echo a random 16-byte value. Each message uses a unique random key.
Documented capabilities include host information collection, a kill switch, reverse shell access, file manipulation, local command or payload execution, network proxying, and global payload reconfiguration. Reported indicators and artifacts include the filenames auto-color, pamssod, and libcext.so.2; persistence via /etc/ld.preload; staging paths under /var/log/cross/ and /tmp/cross/; and previously published malware hashes and command-and-control IP addresses from Palo Alto Networks. Additional reporting noted likely links between later activity and infrastructure previously associated with Auto-Color command-and-control.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“analysts observed a likely link to Auto-Color, a Linux backdoor first reported by Palo Alto Networks in late 2024… previously associated with Auto-Color command-and-control infrastructure…” | On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.
On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems. | “analysts observed a likely link to Auto-Color, a Linux backdoor first reported by Palo Alto Networks in late 2024… previously associated with Auto-Color command-and-control infrastructure…”
Unit 42 has observed post-exploitation activity following the exploitation of CVE-2025-55182... automated scanning for the remote code execution (RCE) vulnerability... The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests.
Auto-color was observed... August 2025 in exploitation of CVE‑2025‑31324.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“analysts observed a likely link to Auto-Color, a Linux backdoor first reported by Palo Alto Networks in late 2024… previously associated with Auto-Color command-and-control infrastructure…”
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
0x100 Reverse shell Creates a reverse shell for the remote server to interact with the victim machine directly
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
This is also known as “hooking” any executable that tries to call libc functions.
Deploying proprietary encryption algorithms to hide communication and configuration information.
Each time the malware deploys on a different target, it uses a different file name. The file name is usually a simple, ordinary word such as door or egg.
The malware deletes its original executable in both cases. However, with root privileges, it preserves the Auto-color binary at /var/log/cross/auto-color .
When /proc/net/tcp is passed into the malicious library’s open() function, it parses the file contents... the malware will not write the specific entry containing the remote IP address or local port... Finally, the malicious library’s open() function returns a file descriptor for the modified file, concealing the manipulation from the victim.
Defense Impairment
2 techniques
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Command and Control
4 techniques
Command and Control
Upon connecting to the threat actor’s machine, the malware initiates a simple handshake with the remote server... Each message from the infected machine or the remote server follows a specific protocol structure unique to this malware family.
“forming a reliable command-and-control (C2) mechanism using server-side Java injection” and repeated use of HTTP GET/curl/wget to retrieve payloads
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor delivered after exploitation of SAP NetWeaver flaw; used in breach of a U.S. chemicals company (per summary).
Previously undocumented Linux malware providing full remote access; targeted universities and government organizations in North America and Asia (Nov-Dec 2024).
Linux backdoor that masquerades as a PAM library (filename pamssod). Observed across multiple environments (universities/government; a US chemicals company) and in exploitation activity including CVE-2025-31324.
Linux backdoor that masquerades as a legitimate PAM library (pamssod) to blend into authentication-related components; observed across multiple environments and timeframes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.