Microsoft Windows vulnerability used to distribute PipeMagic RansomExx malware

Cybersecurity researchers have revealed the exploitation of a now-patched security flaw in Microsoft Windows by threat actors to deploy the PipeMagic malware in RansomExx ransomware attacks. These attacks leverage CVE-2025-29824, a privilege escalation vulnerability affecting the Windows Common Log File System (CLFS), which Microsoft addressed in April 2025. Kaspersky and BI.ZONE reported that PipeMagic, first documented in 2022, acts as a comprehensive backdoor, providing remote access and executing various commands on compromised systems. The attackers initially exploit CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim networks. Subsequent infection chains observed in October 2024 in Saudi Arabia utilised a fake OpenAI ChatGPT app as bait to deliver the malware. Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor known as Storm-2460.

One distinctive feature of PipeMagic is its ability to generate a random 16-byte array to create a named pipe formatted as .pipe1.. This method facilitates the backdoor’s communication for transmitting encrypted payloads and notifications. PipeMagic is a modular malware that uses a domain hosted on Microsoft Azure to stage additional components. The 2025 attacks targeting Saudi Arabia and Brazil relied on a Microsoft Help Index file (“metafile.mshi”) as a loader, which unpacks C# code to decrypt and execute embedded shellcode. Kaspersky also identified PipeMagic loader artifacts disguised as a ChatGPT client in 2025, similar to those seen in October 2024. These samples employed DLL hijacking techniques to execute a malicious DLL masquerading as a Google Chrome update file (“googleupdate.dll”). Regardless of the loading method, the deployment of the PipeMagic backdoor supports various modules, including an asynchronous communication module and a loader module for injecting additional payloads into memory.