Cybersecurity researchers have lifted the lid on the threat actors’ exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks.
The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE said in a joint report published today.
PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, capable of acting as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts.
In those attacks, the threat actors have been found to exploit CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Subsequent infection chains observed in October 2024 in Saudi Arabia were spotted leveraging a fake OpenAI ChatGPT app as bait to deliver the malware.
Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor it tracks as Storm-2460.
“One unique feature of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: \\.\pipe\1.<hex string>,” researchers Sergey Lozhkin, Leonid Bezvershenko, Kirill Korchemny, and Ilya Savelyev said. “After that, a thread is launched that continuously creates this pipe, attempts to read data from it, and then destroys it. This communication method is necessary for the backdoor to transmit encrypted payloads and notifications.”
PipeMagic is a plugin-based modular malware that uses a domain hosted on the Microsoft Azure cloud provider to stage the additional components, with 2025 attacks aimed at Saudi Arabia and Brazil relying on a Microsoft Help Index file (“metafile.mshi”) as a loader. The loader, in turn, unpacks C# code that decrypts and executes embedded shellcode.
“The injected shellcode is executable code for 32-bit Windows systems,” the researchers said. “It loads an unencrypted executable embedded inside the shellcode itself.”
Kaspersky said it also uncovered PipeMagic loader artifacts masquerading as a ChatGPT client in 2025 that are similar to those previously seen in October 2024. The samples have been observed leveraging DLL hijacking techniques to run a malicious DLL that mimics a Google Chrome update file (“googleupdate.dll”).
Irrespective of the loading method used, it all leads to the deployment of the PipeMagic backdoor that supports various modules –
- Asynchronous communication module that supports five commands to terminate the plugin, read/write files, terminate a file operation, or terminate all file operations
- Loader module to inject additional payloads into memory and execute them
- Injector module to launch a C# executable
“The repeated detection of PipeMagic in…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
