Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Campaign
Summary
Hide ▲
Show ▼
The Play ransomware group (Storm-2460) is actively exploiting CVE-2025-29824 with the PipeMagic backdoor to raise privileges and deliver ransomware, increasing risk for unpatched Windows CLFS systems. The operation has reached organizations across multiple sectors and geographies, including the IT, financial, and real estate sectors in the US, Europe, South America, and the Middle East. Initial access uses a modified ChatGPT Desktop Application project as an in-memory dropper. The backdoor supports persistence and later-stage movement inside targeted networks.
Cases
Related Happenings
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
H score59
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-velocity exploit campaign
Campaign
H score59
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
H score29
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityAbout this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
H score21
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation Wave
H score20
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
**CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation WaveAbout this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...
Timeline
-
19.08.2025 20:16 1 articles · 10mo ago
Play ransomware / Storm-2460 CVE-2025-29824 PipeMagic campaign
Initial DisclosureThe initial phase centered on a **zero-day CVE-2025-29824** exploit against **Windows CLFS**, with **Storm-2460** using the bug to gain elevated privileges on unpatched systems. That foothold was paired with **PipeMagic** to prepare ransomware deployment and post-compromise control.
Show sources
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain — www.darkreading.com — 19.08.2025 20:16