Find notable cyber news and cases, enriched with sources, timelines, and signals.

Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

The Play ransomware group (Storm-2460) is actively exploiting CVE-2025-29824 with the PipeMagic backdoor to raise privileges and deliver ransomware, increasing risk for unpatched Windows CLFS systems. The operation has reached organizations across multiple sectors and geographies, including the IT, financial, and real estate sectors in the US, Europe, South America, and the Middle East. Initial access uses a modified ChatGPT Desktop Application project as an in-memory dropper. The backdoor supports persistence and later-stage movement inside targeted networks.

Cases

Related Happenings

Storm-1175 high-tempo Medusa ransomware campaign

Campaign
H score59 First: 07.04.2026 13:02 Last: 07.04.2026 13:02 Sources 1

About this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
H score29 First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
H score21 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
H score20 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...

Timeline

  1. 19.08.2025 20:16 1 articles · 10mo ago

    Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign

    Initial Disclosure

    The initial phase centered on a **zero-day CVE-2025-29824** exploit against **Windows CLFS**, with **Storm-2460** using the bug to gain elevated privileges on unpatched systems. That foothold was paired with **PipeMagic** to prepare ransomware deployment and post-compromise control.

    Show sources