Campaign
Storm-2460 PipeMagic exploitation of Windows CLFS
Updated 19.08.2025 20:16
Case score 55
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 55
- Main story score
- 55
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Campaign Lead campaign defines the activity chain, affected surface, and current response state. main
Case score 55
Members 1
Latest activity 19.08.2025 20:16
Patch available
Members 1
First seen 19.08.2025 20:16
Last seen 19.08.2025 20:16
Updated 19.08.2025 20:16
Overview
**Storm-2460** is actively exploiting **CVE-2025-29824** in **Windows CLFS** and using a modified **ChatGPT Desktop Application** project to deliver **PipeMagic** before ransomware deployment. The activity has been seen against organizations in the **IT**, **financial**, and **real estate** sectors across the **US**, **Europe**, **South America**, and the **Middle East**.
Microsoft patched **CVE-2025-29824** in April 2025, but unpatched systems remain exposed. Available evidence does not give a reliable victim count, so the full reach is still unknown.
The **Play ransomware** group tracked as **Storm-2460** is actively exploiting **CVE-2025-29824** on unpatched **Windows Common Log File System (CLFS)** systems to gain elevated privileges and deploy ransomware.
The intrusion chain starts with a modified **ChatGPT Desktop Application** project that acts as an in-memory dropper, decrypts **PipeMagic**, and launches the backdoor.
Once **PipeMagic** is active, the operators use the CLFS flaw to escalate access before pushing the ransomware payload.
Observed activity spans organizations in the **IT**, **financial**, and **real estate** sectors across the **US**, **Europe**, **South America**, and the **Middle East**.
The newer **PipeMagic** build adds persistence and lateral-movement capability, which helps the operators stay inside victim networks and expand the intrusion.
Microsoft patched **CVE-2025-29824** in April 2025, but available evidence does not give a reliable victim count, so the full reach of the campaign remains unknown.
Signals
7 derivedCVEs/products
CVE
Victims/regions
Victim region
United States
Remediation
Remediation
Patch available
Status
Campaign status
Active
Threat context
Actor
Play
Actor
Storm-2460
Ransomware
Malware context
2 familiesMember happenings
1 related
Campaign
Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available
Campaign
Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Objective
Financial Extortion
Campaign
Active
Patch
Patch Available