Cybersecurity researchers have lifted the lid on the threat actors’ exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks.
The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE said in a joint report published today.
PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, capable of acting as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts.
In those attacks, the threat actors have been found to exploit CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Subsequent infection chains observed in October 2024 in Saudi Arabia were spotted leveraging a fake OpenAI ChatGPT app as bait to deliver the malware.
Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor it tracks as Storm-2460.
“One unique feature of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: \.pipe1.<hex string>,” researchers Sergey Lozhkin, Leonid Bezvershenko, Kirill Korchemny, and Ilya Savelyev said. “After that, a thread is launched that continuously creates this pipe, attempts to read data from it, and then destroys it. This communication method is necessary for the backdoor to transmit encrypted payloads and notifications.”
PipeMagic is a plugin-based modular malware that uses a domain hosted on the Microsoft Azure cloud provider to stage the additional components, with 2025 attacks aimed at Saudi Arabia and Brazil relying on a Microsoft Help Index file (“metafile.mshi”) as a loader. The loader, in turn, unpacks C# code that decrypts and executes embedded shellcode.
“The injected shellcode is executable code for 32-bit Windows systems,” the researchers said. “It loads an unencrypted executable embedded inside the shellcode itself.”
Kaspersky said it also uncovered PipeMagic loader artifacts masquerading as a ChatGPT client in 2025 that are similar to those previously seen in October 2024. The samples have been observed leveraging DLL hijacking techniques to run a malicious DLL that mimics a Google Chrome update file (“googleupdate.dll”).
Irrespective of the loading method used, it all leads to the deployment of the PipeMagic backdoor that supports various modules –
- Asynchronous communication module that supports five commands to terminate the plugin, read/write files, terminate a file operation, or terminate all file operations
- Loader module to inject additional payloads into memory and execute them
- Injector module to launch a C# executable
“The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active and that the attackers continue to develop its functionality,” the researchers said.
“The versions detected in 2025 show improvements over the 2024 version, aimed at persisting in victim systems and moving laterally within internal networks. In the 2025 attacks, the attackers used the ProcDump tool, renamed to dllhost.exe, to extract memory from the LSASS process.”
