PipeMagic modular backdoor and loader activity
Malware Activity
Summary
Hide ▲
Show ▼
The PipeMagic malware remains active in RansomExx-linked intrusions, with 2025 variants used to gain remote access, run commands, and support persistence and lateral movement on victim systems. Researchers also observed fake OpenAI ChatGPT bait, DLL hijacking, and a Microsoft Help Index loader path used to stage the malware. The activity matters because the backdoor communicates with C2 in a modular, stealthy way and gives operators granular control over compromised hosts.
Related Happenings
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityAbout this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Google study on AI misuse in APT and malware workflows
Technical Analysis
First: 12.02.2026 14:45
Last: 12.02.2026 14:45
Sources 1
About this happening:
**Google Threat Intelligence Group** reported an **unknown threat actor** using **PROMPTFLUX**, an experimental **VB Script** malware, to query the **Gemini API** for **just-in-ti...
Google study on AI misuse in APT and malware workflows
Technical AnalysisAbout this happening: **Google Threat Intelligence Group** reported an **unknown threat actor** using **PROMPTFLUX**, an experimental **VB Script** malware, to query the **Gemini API** for **just-in-ti...
SystemBC long-running global proxy malware operation
Malware Activity
First: 04.02.2026 18:15
Last: 04.02.2026 18:15
Sources 1
About this happening:
**SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
SystemBC long-running global proxy malware operation
Malware ActivityAbout this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
Timeline
-
18.08.2025 19:03 1 articles · 9mo ago
PipeMagic modular backdoor and loader activity
Initial DisclosurePipeMagic first appeared in **2022** in **RansomExx** attacks against industrial companies in **Southeast Asia**, where it acted as a full-fledged backdoor for remote access and command execution. Later infection chains in **October 2024** used a fake **OpenAI ChatGPT** app as delivery bait, showing the malware was already being reused and adapted.
Show sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware — thehackernews.com — 18.08.2025 19:03