PipeMagic RansomExx Malware Exploits Windows Vulnerability
Summary
Hide β²
Show βΌ
A security flaw in Microsoft Windows, CVE-2025-29824, has been exploited by threat actors to deploy the PipeMagic malware as part of Play ransomware attacks. The vulnerability, a privilege escalation flaw in the Windows Common Log File System (CLFS), was patched in April 2025. PipeMagic, first documented in 2022, acts as a backdoor providing remote access and executing commands on compromised hosts. The malware has been observed in attacks targeting industrial companies in Southeast Asia, Saudi Arabia, and Brazil. It uses various techniques, including fake OpenAI ChatGPT apps and DLL hijacking, to deliver the malware. PipeMagic is a modular malware that uses a domain hosted on Microsoft Azure to stage additional components. The threat actor behind these attacks, tracked as Storm-2460, has been active across multiple sectors and geographies, including IT, financial, and real estate in the U.S., Europe, South America, and the Middle East. The PipeMagic backdoor has been updated to improve persistence and lateral movement within targeted networks. It uses a modified version of the GitHub ChatGPT Desktop Application project to disguise its malicious code and communicates with its C2 server over TCP. The backdoor has been observed targeting the Brazilian manufacturing sector and was the only one among the 121 vulnerabilities patched by Microsoft in April 2025 that was actively exploited in the wild.
Timeline
-
19.08.2025 20:16 π° 1 articles
PipeMagic Backdoor Resurfaces in Play Ransomware Attacks
In August 2025, the PipeMagic backdoor resurfaced as part of the Play ransomware attack chain. The backdoor has been updated to improve persistence and lateral movement within targeted networks. It uses a modified version of the GitHub ChatGPT Desktop Application project to disguise its malicious code and communicates with its C2 server over TCP. The backdoor has been observed targeting the Brazilian manufacturing sector and was the only one among the 121 vulnerabilities patched by Microsoft in April 2025 that was actively exploited in the wild. The backdoor is used to escalate privileges before launching the ransomware against a compromised organization. Microsoft recommends patching the vulnerability, enabling tamper protection and network protection in Microsoft Defender for Endpoint, running endpoint detection and response (EDR) in block mode, configuring investigation and remediation in full automated mode, and turning on cloud-delivered protection in antivirus products to protect against this threat.
Show sources
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
18.08.2025 19:03 π° 1 articles
PipeMagic RansomExx Malware Exploits Windows Vulnerability
In August 2025, it was revealed that a security flaw in Microsoft Windows, CVE-2025-29824, has been exploited by threat actors to deploy the PipeMagic malware as part of RansomExx ransomware attacks. The vulnerability, a privilege escalation flaw in the Windows Common Log File System (CLFS), was patched in April 2025. PipeMagic, first documented in 2022, acts as a backdoor providing remote access and executing commands on compromised hosts. The malware has been observed in attacks targeting industrial companies in Southeast Asia, Saudi Arabia, and Brazil. It uses various techniques, including fake OpenAI ChatGPT apps and DLL hijacking, to deliver the malware. PipeMagic is a modular malware that uses a domain hosted on Microsoft Azure to stage additional components. The threat actor behind these attacks, tracked as Storm-2460, has been active across multiple sectors and geographies, including IT, financial, and real estate in the U.S., Europe, South America, and the Middle East.
Show sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
Information Snippets
-
CVE-2025-29824 is a privilege escalation vulnerability in the Windows Common Log File System (CLFS).
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
PipeMagic malware was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
PipeMagic acts as a full-fledged backdoor, providing remote access and executing commands on compromised hosts.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
The malware uses a random 16-byte array to create a named pipe for encrypted communication.
First reported: 18.08.2025 19:03π° 1 source, 1 articleShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
-
PipeMagic is a plugin-based modular malware that uses a domain hosted on Microsoft Azure to stage additional components.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
The malware has been observed in attacks targeting Saudi Arabia and Brazil, using a Microsoft Help Index file as a loader.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
The threat actor behind these attacks is tracked as Storm-2460, active across multiple sectors and geographies.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
PipeMagic uses various techniques, including fake OpenAI ChatGPT apps and DLL hijacking, to deliver the malware.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
The malware communicates with its C2 server over TCP and receives payload modules through a named pipe.
First reported: 18.08.2025 19:03π° 2 sources, 2 articlesShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain β www.darkreading.com β 19.08.2025 20:16
-
PipeMagic's modular architecture makes detection and analysis significantly challenging.
First reported: 18.08.2025 19:03π° 1 source, 1 articleShow sources
- Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware β thehackernews.com β 18.08.2025 19:03
Similar Happenings
HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344
A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.
CVE-2025-5086 in DELMIA Apriso Exploited in the Wild
A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.
ChillyHell macOS Backdoor Resurfaces with New Capabilities
The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.
TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs
A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker APIβs port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the hostβs utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chromeβs remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.
APT28 deploys NotDoor backdoor via Microsoft Outlook
APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. The malware exploits Outlook as a covert communication, data exfiltration, and malware delivery channel. NotDoor is a VBA macro that monitors incoming emails for specific trigger words. When triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the victim's computer. The malware is delivered via a legitimate signed binary, Microsoft's OneDrive.exe, vulnerable to DLL sideloading. The backdoor was identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. The malware has been deployed against companies in NATO member countries, using advanced techniques to evade detection and maintain persistence. NotDoor supports multiple commands for data exfiltration and file uploads, and uses Base64-encoded PowerShell commands for various operations. The malware creates a staging folder in the %TEMP% directory to store and exfiltrate files, encoding them with custom encryption before sending via email. APT28's attacks involve the abuse of Microsoft Dev Tunnels for C2 infrastructure, providing stealth and rapid infrastructure rotation. The attack chain includes the use of bogus Cloudflare Workers domains to distribute additional payloads, demonstrating a high level of specialized design and obfuscation.