Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States.
The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by Microsoft last month.
Play, also called Balloonfly and PlayCrypt, is known for its double extortion tactics, wherein sensitive data is exfiltrated prior to exfiltration in exchange for a ransom. It’s active since at least mid-2022.
In the activity observed by Symantec, the threat actors are said to have likely leveraged a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point, taking advantage of an as-yet-undetermined method to move to another Windows machine on the target network.
The attack is notable for the use of Grixba, a bespoke information stealer previously attributed to Play and an exploit for CVE-2025-29824 that’s dropped in the Music folder, giving it names that masquerade as Palo Alto Networks software (e.g., “paloaltoconfig.exe” and “paloaltoconfig.dll”).
The threat actors have also been observed running commands to gather information about all the available machines in the victims’ Active Directory and save the results to a CSV file.
“During the execution of the exploit, two files are created in the path C:ProgramDataSkyPDF,” Symantec explained. “The first file, PDUDrv.blf, is a Common Log File System base log file and is an artifact created during exploitation.”
“The second file, clssrv.inf, is a DLL that is injected into the winlogon.exe process. This DLL has the ability to drop two additional batch files.”
One of the batch files, called “servtask.bat,” is used to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user named “LocalSvc,” and it to the Administrator group. The other batch file, “cmdpostfix.bat,” is used to clean up traces of exploitation.
Symantec said that no ransomware payload was deployed in the intrusion. The findings show that exploits for CVE-2025-29824 may have been available to multiple threat actors before it was fixed by Microsoft.
It’s worth noting that the nature of exploitation detailed by the cybersecurity company does not overlap with another activity cluster dubbed Storm-2460 that Microsoft disclosed as having weaponized the flaw in a limited set of attacks to deliver a trojan dubbed PipeMagic.
The exploitation of CVE-2025-29824 also points to the trend of ransomware actors using zero-days to infiltrate targets. Last year, Symantec divulged that the Black Basta group may have taken advantage of CVE-2024-26169, a privilege escalation in the Windows Error Reporting Service, as a zero-day.
New “Bring Your Own Installer” EDR Bypass Used in Babuk Ransomware Attack
The disclosure comes as Aon’s Stroz Friedberg Incident Response Services detailed a local bypass technique called Bring Your Own Installer that’s being exploited by threat actors to disable endpoint security software and deploy the Babuk ransomware.
The attack, per the company, targeted SentinelOne’s Endpoint Detection and Response (EDR) system by exploiting a flaw within the upgrade/downgrade process of the SentinelOne agent after having gained local administrative access on a publicly-accessible server.
“Bring Your Own Installer is a technique which can be used by threat actors to bypass EDR protection on a host through timed termination of the agent update process when inadequately configured,” Aon researchers John Ailes and Tim Mashni said.
The approach is noteworthy because it does not rely on vulnerable drivers or other tools to disarm security software. Rather it exploits a time window in the agent upgrade process to terminate running EDR agents, leaving devices unprotected.
Specifically, it abuses the fact that installing a different version of the software using an MSI file causes it to terminate already running Windows processes before the update is performed.
The Bring Your Own Installer attack essentially involves running a legitimate installer and forcefully terminating the install process by issuing a “taskkill” command after it shuts down the running services.
“Because the old version of SentinelOne processes were terminated during the upgrade, and the new processes were interrupted before spawning, the final result was a system without SentinelOne protection,” Aon researchers said.
SentinelOne, which said the technique could be applied against other endpoint protection products, has since rolled out updates to its Local Upgrade Authorization feature in order to mitigate such bypasses from happening again. This includes enabling it by default for all new customers.
The disclosure comes as Cisco revealed that a ransomware family known as Crytox has employed HRSword as part of their attack chain to turn off endpoint security protections.
HRSword has been previously observed in attacks delivering BabyLockerKZ and Phobos ransomware strains, as well as those designed to terminate AhnLab’s security solutions in South Korea.
New Ransomware Trends
Ransomware attacks have also increasingly trained their sights on domain controllers to breach organizations, allowing threat actors to obtain access to privileged accounts and weaponize the centralized network access to encrypt hundreds or thousands of systems within minutes.
“More than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller,” Microsoft revealed last month.
“Additionally, in more than 35% of cases, the primary spreader device — the system responsible for distributing ransomware at scale — is a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption.”
Other ransomware attacks detected in recent months have leveraged a new Ransomware-as-a-Service (RaaS) known as PlayBoy Locker, which provides relatively unskilled cybercriminals with a comprehensive toolkit comprising ransomware payloads, management dashboards, and support services.
“The PlayBoy Locker RaaS platform offers affiliates numerous options for building ransomware binaries that target Windows, NAS, and ESXi systems, enabling tailored configurations to suit different operational requirements,” Cybereason said. “PlayBoy Locker RaaS operators advertise regular updates, anti-detection features, and even customer support for affiliates.”
The developments have also coincided with the launch of a ransomware cartel by DragonForce, an e-crime group that has claimed control of RansomHub, a RaaS scheme that abruptly ceased operations at the end of March 2025.
The white-label branding service is designed to allow affiliates to disguise the DragonForce ransomware as a different strain for an additional fee. The threat actor claims to take a 20% share of successful ransomware payouts, allowing the affiliates to keep the remaining 80%.
DragonForce emerged in August 2023, positioning itself as a pro-Palestine hacktivist operation before evolving into a full-fledged ransomware operation. In recent weeks, the RaaS syndicate has attracted attention for its targeting of U.K. retailers like Harrods, Marks and Spencer, and the Co-Op.
“This move, along with DragonForce’s push to brand itself as a ‘ransomware cartel,’ illustrates the group’s desire to raise its profile in the crimeware landscape by enabling an ecosystem,” SentinelOne said. “Under this model, DragonForce provides the infrastructure, malware, and ongoing support services while affiliates run campaigns under their own branding.”
According to a report from BBC News, the attacks aimed at the U.K. retail sector are believed to have been orchestrated by a notorious threat group and a RansomHub affiliate known as Scattered Spider (aka Octo Tempest or UNC3944).
“It is plausible that threat actors including UNC3944 view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data,” Google-owned Mandiant said.
“Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.”
Ransomware attacks have witnessed an increase of 25% in 2024, with the number of ransomware group leak sites rising by 53%. The fragmentation, per Bitsight, is the arrival of smaller, more agile gangs that are striking mid-sized organizations that may not always have the resources to tackle such threats.
“The proliferation of ransomware groups means that they are increasing faster than law enforcement can shut them down, and their focus on smaller organizations means that anyone may be a target,” security researcher Dov Lerner said.
