Cybersecurity experts have revealed how threat actors have been exploiting a recently patched vulnerability in Microsoft Windows to deploy the PipeMagic malware as part of RansomExx ransomware campaigns.

The attacks targeted CVE-2025-29824, a privilege escalation flaw in the Windows Common Log File System (CLFS), which Microsoft patched in April 2025. The analysis, published jointly by Kaspersky and BI.ZONE, details the mechanisms used by attackers to gain persistent access to compromised systems.

Background on PipeMagic

Originally observed in 2022, PipeMagic acts as a sophisticated backdoor, capable of providing remote control over infected hosts and executing a variety of commands. Early RansomExx campaigns primarily targeted industrial organizations in Southeast Asia. In previous attacks, threat actors exploited CVE-2017-0144, a Windows SMB remote code execution vulnerability, to infiltrate victim networks.

In some October 2024 incidents in Saudi Arabia, attackers even used a fake OpenAI ChatGPT app as a lure to deliver PipeMagic. By April 2025, Microsoft attributed the exploitation of CVE-2025-29824 and subsequent PipeMagic deployment to a threat actor tracked as Storm-2460.

How PipeMagic Operates

PipeMagic employs a unique method of communication. The malware generates a random 16-byte array to create a named pipe (e.g., \\.\pipe\1.<hex string>), continuously reading and destroying data to transmit encrypted payloads and notifications. Its modular architecture relies on plugins hosted on Microsoft Azure to load additional components.

Recent attacks in Saudi Arabia and Brazil used a Microsoft Help Index file (“metafile.mshi”) as a loader, which unpacks C# code that decrypts and executes embedded shellcode. This shellcode then loads an executable embedded within itself, allowing the backdoor to maintain control over the infected system.

In some 2025 incidents, PipeMagic loaders were disguised as ChatGPT clients and used DLL hijacking techniques to execute malicious DLLs resembling legitimate Google Chrome update files (googleupdate.dll).

Key Functional Modules

PipeMagic’s modular design includes:

• Asynchronous communication module: Supports commands to terminate plugins, read/write files, or stop file operations.
• Loader module: Injects and executes additional payloads in memory.
• Injector module: Launches C# executables on compromised systems.

Researchers emphasize that the 2025 versions of PipeMagic show enhancements over the 2024 variants, including improved persistence and lateral movement capabilities. Attackers have leveraged tools like ProcDump (renamed to dllhost.exe) to extract memory from the LSASS process, highlighting the malware’s continued evolution and sophistication.

Implications for Organizations

The ongoing activity of PipeMagic, especially in regions like Saudi Arabia and Brazil, underscores the persistent threat posed by RansomExx campaigns. Organizations must ensure Windows systems are fully patched, monitor for suspicious named pipe activity, and implement robust endpoint detection to prevent unauthorized lateral movement and memory-based attacks.

Source: https://thehackernews.com/2025/08/microsoft-windows-vulnerability.html