Cybersecurity experts from Kaspersky and BI.ZONE have uncovered active exploitation of a critical Windows vulnerability by threat actors deploying the PipeMagic malware in recent RansomExx ransomware attacks.
The vulnerability in question—CVE-2025-29824—is a privilege escalation flaw in Windows' Common Log File System (CLFS), patched by Microsoft in April 2025. Microsoft has attributed the exploitation to Storm-2460, a known advanced threat group.
PipeMagic, first spotted in 2022 targeting industrial systems in Southeast Asia, is a modular backdoor malware. It enables remote access, file operations, and execution of additional payloads—making it highly flexible and dangerous.
Researchers highlight that PipeMagic communicates using encrypted named pipes, generating a random 16-byte array for each session. These pipes help transmit encrypted payloads and keep the malware stealthy. It also uses a loader disguised as a Microsoft Help Index file to unpack and execute shellcode on 32-bit Windows systems.
In 2025, the malware resurfaced in attacks against organizations in Saudi Arabia and Brazil, using fake ChatGPT apps and malicious Chrome update files to infiltrate systems. The loader uses DLL hijacking to inject malicious code.
Once installed, PipeMagic supports various modules including:
- An asynchronous communication module for file operations
- A loader module for injecting payloads
- An injector module to launch C# executables
- A network module to maintain command-and-control (C2) communication and gather system intelligence
Microsoft warns that PipeMagic’s modular and in-memory architecture makes detection difficult and cleanup complex.
As threat actors refine their tools, cybersecurity experts urge organizations across sectors—including IT, finance, and real estate—to apply security patches, monitor endpoints, and remain vigilant against evolving threats.
