Cybersecurity researchers have lifted the lid on the menace actors’ exploitation of a now-patched safety flaw in Microsoft Home windows to deploy the PipeMagic malware in RansomExx ransomware assaults.
The assaults contain the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Home windows Widespread Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE mentioned in a joint report printed at the moment.
PipeMagic was first documented in 2022 as a part of RansomExx ransomware assaults focusing on industrial firms in Southeast Asia, able to performing as a full-fledged backdoor offering distant entry and executing a variety of instructions on compromised hosts.
In these assaults, the menace actors have been discovered to take advantage of CVE-2017-0144, a distant code execution flaw in Home windows SMB, to infiltrate sufferer infrastructure. Subsequent an infection chains noticed in October 2024 in Saudi Arabia had been noticed leveraging a faux OpenAI ChatGPT app as bait to ship the malware.
Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a menace actor it tracks as Storm-2460.
“One distinctive function of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: .pipe1.<hex string>,” researchers Sergey Lozhkin, Leonid Bezvershenko, Kirill Korchemny, and Ilya Savelyev mentioned. “After that, a thread is launched that constantly creates this pipe, makes an attempt to learn information from it, after which destroys it. This communication technique is important for the backdoor to transmit encrypted payloads and notifications.”
PipeMagic is a plugin-based modular malware that makes use of a site hosted on the Microsoft Azure cloud supplier to stage the extra parts, with the 2025 assaults geared toward Saudi Arabia and Brazil counting on a Microsoft Assist Index file (“metafile.mshi”) as a loader. The loader, in flip, unpacks C# code that decrypts and executes embedded shellcode.
“The injected shellcode is executable code for 32-bit Home windows techniques,” the researchers mentioned. “It hundreds an unencrypted executable embedded contained in the shellcode itself.”
Kaspersky mentioned it additionally uncovered PipeMagic loader artifacts masquerading as a ChatGPT shopper in 2025 which might be much like these beforehand seen in October 2024. The samples have been noticed leveraging DLL hijacking methods to run a malicious DLL that mimics a Google Chrome replace file (“googleupdate.dll”).
Regardless of the loading technique used, all of it results in the deployment of the PipeMagic backdoor that helps numerous modules –
- Asynchronous communication module that helps 5 instructions to terminate the plugin, learn/write information, terminate a file operation, or terminate all file operations
- Loader module to inject further payloads into reminiscence and execute them
- Injector module to launch a C# executable
“The repeated detection of PipeMagic in assaults on organizations in Saudi Arabia and its look in Brazil point out that the malware stays lively and that the attackers proceed to develop its performance,” the researchers mentioned.
“The variations detected in 2025 present enhancements over the 2024 model, geared toward persisting in sufferer techniques and shifting laterally inside inside networks. Within the 2025 assaults, the attackers used the ProcDump instrument, renamed to dllhost.exe, to extract reminiscence from the LSASS course of.”
PipeMagic, a Refined Malware Framework
Describing PipeMagic as a framework designed for flexibility and persistence, Microsoft mentioned the malware can dynamically execute payloads whereas sustaining strong command-and-control (C2) communication by way of a devoted networking module.
“Because the malware receives and hundreds payload modules from C2, it grants the menace actor granular management over code execution on the compromised host,” the Microsoft Risk Intelligence group mentioned. “By offloading community communication and backdoor duties to discrete modules, PipeMagic maintains a modular, stealthy, and extremely extensible structure, making detection and evaluation considerably difficult.”
Storm-2460 assaults span a number of sectors and geographies, together with data know-how (IT), monetary, and actual property within the U.S., Europe, South America, and Center East.
PipeMagic will get its title from the usage of encrypted inter-process communication by way of named pipes. The malware communicates with its C2 server over TCP and receives payload modules by a named pipe and its C2 server. The payloads are saved in reminiscence utilizing a knowledge construction known as doubly linked listing with out leaving any traces on disk.
One other module of significance is a community part that is used for C2 communications to ship information, accumulate complete system data, and course of instructions contained inside C2 responses that facilitate granular management over module administration, execution, and system reconnaissance.
“By offloading community communication and backdoor duties to discrete modules, PipeMagic maintains a modular, stealthy, and extremely extensible structure, making detection and evaluation considerably difficult,” it added.
