Palo Alto Networks' Unit 42 researchers have discovered a sophisticated new Linux malware called "Auto-Color," which primarily targets universities and government offices in North America and Asia, according to a report published in February 2025.
Discovered between November and December 2024, Auto-Color employs multiple evasion techniques that make it particularly difficult to detect and remove. The malware derives its name from the file it renames itself to after installation ("/var/log/cross/auto-color").
According to the report, Auto-Color uses benign-looking file names like "door" or "egg" in its initial stage. Once executed, it installs a malicious library implant called "libcext.so.2" that mimics a legitimate C utility library. This implant hooks into core system functions to hide network connections and prevent uninstallation.
"Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software," the report states.
The malware employs a sophisticated technique similar to the Symbiote malware family to hide its command-and-control (C2) communications, which was documented by Intezer as "nearly-impossible-to-detect" due to comparable techniques of hooking system functions to hide malicious activities.
It manipulates the "/proc/net/tcp" file to conceal connections to attacker servers. Additionally, it uses proprietary encryption algorithms for its communications and configuration data.
Auto-Color provides attackers with multiple capabilities, including creating reverse shells, manipulating files, executing programs, acting as a network proxy, and modifying configuration data. The researchers has also identified several C2 servers associated with the malware, operating on port 443.
While the distribution method remains unknown, the report indicates the malware is designed to be explicitly run by victims on their Linux machines. All identified samples have identical file sizes (229,160 bytes) but different hashes due to the individually encrypted C2 configurations embedded in each malware instance.
Palo Alto Networks has provided detailed indicators of compromise to help organizations identify potential infections and has updated their security products to protect customers against this emerging threat.