Find notable cyber news and cases, enriched with sources, timelines, and signals.
Campaign

Storm-2460 PipeMagic exploitation of Windows CLFS

Updated 19.08.2025 20:16
Case score 55
Case score 55 Members 1 Latest activity 19.08.2025 20:16
Patch available
Members 1 First seen 19.08.2025 20:16 Last seen 19.08.2025 20:16 Updated 19.08.2025 20:16

Overview

**Storm-2460** is actively exploiting **CVE-2025-29824** in **Windows CLFS** and using a modified **ChatGPT Desktop Application** project to deliver **PipeMagic** before ransomware deployment. The activity has been seen against organizations in the **IT**, **financial**, and **real estate** sectors across the **US**, **Europe**, **South America**, and the **Middle East**. Microsoft patched **CVE-2025-29824** in April 2025, but unpatched systems remain exposed. Available evidence does not give a reliable victim count, so the full reach is still unknown.

Signals

7 derived
CVEs/products
CVE
Victims/regions
Victim region United States
Remediation
Remediation Patch available
Status
Campaign status Active
Threat context
Actor Play Actor Storm-2460 Ransomware

Malware context

2 families

Member happenings

1 related
Campaign Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Updated 19.08.2025 20:16 Lead Contribution 55
Objective Financial Extortion Campaign Active Patch Patch Available

The **Play ransomware** group (**Storm-2460**) is actively exploiting **CVE-2025-29824** with the **PipeMagic** backdoor to raise privileges and deliver ransomware, increasing risk for unpatched **Windows CLFS** systems. The operation has reached organizations across **multiple sectors and geographies**, including the **IT**, **financial**, and **real estate** sectors in the **US**, **Europe**, **South America**, and the **Middle East**. Initial access uses a modified **ChatGPT Desktop Application** project as an in-memory dropper. The backdoor supports persistence and later-stage movement inside targeted networks.