Campaign
Storm-2460 PipeMagic exploitation of Windows CLFS
Updated 19.08.2025 20:16
Case score 55
Score breakdown
- Total
- 55
- Lead score
- 55
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Campaign Lead campaign defines the activity chain, affected surface, and current response state. base
Case score 55
Members 1
Latest activity 19.08.2025 20:16
Members 1
First seen 19.08.2025 20:16
Last seen 19.08.2025 20:16
Updated 19.08.2025 20:16
Overview
**Storm-2460** is actively exploiting **CVE-2025-29824** in **Windows CLFS** and using a modified **ChatGPT Desktop Application** project to deliver **PipeMagic** before ransomware deployment. The activity has been seen against organizations in the **IT**, **financial**, and **real estate** sectors across the **US**, **Europe**, **South America**, and the **Middle East**.
Microsoft patched **CVE-2025-29824** in April 2025, but unpatched systems remain exposed. Available evidence does not give a reliable victim count, so the full reach is still unknown.
The **Play ransomware** group tracked as **Storm-2460** is actively exploiting **CVE-2025-29824** on unpatched **Windows Common Log File System (CLFS)** systems to gain elevated privileges and deploy ransomware.
The intrusion chain starts with a modified **ChatGPT Desktop Application** project that acts as an in-memory dropper, decrypts **PipeMagic**, and launches the backdoor.
Once **PipeMagic** is active, the operators use the CLFS flaw to escalate access before pushing the ransomware payload.
Observed activity spans organizations in the **IT**, **financial**, and **real estate** sectors across the **US**, **Europe**, **South America**, and the **Middle East**.
The newer **PipeMagic** build adds persistence and lateral-movement capability, which helps the operators stay inside victim networks and expand the intrusion.
Microsoft patched **CVE-2025-29824** in April 2025, but available evidence does not give a reliable victim count, so the full reach of the campaign remains unknown.