Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Campaign
Summary
Hide ▲
Show ▼
The Play ransomware group (Storm-2460) is actively exploiting CVE-2025-29824 with the PipeMagic backdoor to raise privileges and deliver ransomware, increasing risk for unpatched Windows CLFS systems. The operation has reached organizations across multiple sectors and geographies, including the IT, financial, and real estate sectors in the US, Europe, South America, and the Middle East. Initial access uses a modified ChatGPT Desktop Application project as an in-memory dropper. The backdoor supports persistence and later-stage movement inside targeted networks.
Cases
Related Happenings
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityAbout this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
NosyDoor backdoor activity using OneDrive and Google Drive C&C
Malware Activity
First: 18.12.2025 19:34
Last: 18.12.2025 19:34
Sources 1
About this happening:
The **NosyDoor** backdoor is being used to **exfiltrate files** and run **shell commands** inside compromised networks, making the **LongNosedGoblin** toolset more dangerous. The...
NosyDoor backdoor activity using OneDrive and Google Drive C&C
Malware ActivityAbout this happening: The **NosyDoor** backdoor is being used to **exfiltrate files** and run **shell commands** inside compromised networks, making the **LongNosedGoblin** toolset more dangerous. The...
Timeline
-
19.08.2025 20:16 1 articles · 9mo ago
Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Initial DisclosureThe initial phase centered on a **zero-day CVE-2025-29824** exploit against **Windows CLFS**, with **Storm-2460** using the bug to gain elevated privileges on unpatched systems. That foothold was paired with **PipeMagic** to prepare ransomware deployment and post-compromise control.
Show sources
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain — www.darkreading.com — 19.08.2025 20:16