New Linux Malware “Auto-Color” Grants Full Remote Access

Linux hackers vuln

A newly discovered Linux malware, named Auto-Color, is actively targeting universities and government organizations across North America and Asia. First identified by Palo Alto Networks’ Unit 42, Auto-Color provides attackers with persistent remote access, making it difficult to detect and remove.

Key characteristics of Auto-Color

  • When executed with root privileges, Auto-Color installs a malicious library, renames itself as /var/log/cross/auto-color, and modifies /etc/ld.preload to ensure persistence. Without root access, it still runs but with limited functionality.
  • The malware disguises itself with misleading filenames such as “door” or “egg,” encrypts its command-and-control (C2) communications, and manipulates system processes to hide its presence by modifying /proc/net/tcp.
  • Once active, Auto-Color connects to a remote C2 server, allowing attackers to execute commands, modify system files, open reverse shells, and use the infected system as a proxy for further attacks. A built-in kill switch lets it erase traces of its presence.

The exact method of infection remains unclear, but execution requires user interaction on the targeted Linux system.

Expert Analysis

Auto-Color is a clear sign that Linux threats are becoming more sophisticated and targeted. Unlike generic botnets or automated ransomware, this malware is designed for stealth, persistence, and long-term control. Its ability to modify system processes and evade traditional security tools makes it a serious challenge for defenders.

The sectors targeted—academia and government institutions—suggest that Auto-Color is not just another criminal tool for mass exploitation. Instead, it appears to be part of a more advanced cyber-espionage campaign, where attackers prioritize control over destruction.

Read the full article here.

Stay informed with us!

You can subscribe to our monthly cybersecurity newsletter to receive updates about us and the industry

Blog

Check the latest updates on threats, stories, events and analysis.

Medusa Ransomware Targets 300+ Critical Infrastructure Organizations

X Outages Blamed on Cyberattack by Dark Storm

Switzerland Mandates Cyberattack Reporting for Critical Infrastructure