Cybersecurity Alert: The Rise of PipeMagic Malware in RansomExx Attacks
Cybersecurity experts have recently revealed that threat actors are exploiting a previously patched vulnerability in Microsoft Windows to facilitate the deployment of PipeMagic malware within RansomExx ransomware campaigns. This advanced malware poses a significant risk, especially to industrial sectors, and is linked to a recognized vulnerability in the Windows operating system.
Understanding the Vulnerability
The security flaw in question, tracked as CVE-2025-29824, relates to a privilege escalation vulnerability affecting the Windows Common Log File System (CLFS). Microsoft addressed this issue in April 2025. Both Kaspersky and BI.ZONE have outlined its implications in a joint report, detailing how the exploitation has led to a rise in ransomware attacks.
PipeMagic, which was first identified in 2022, is primarily used by threat actors targeting companies in Southeast Asia. This malware exhibits capabilities that allow it to function as a comprehensive backdoor, enabling remote access and facilitating a wide array of commands on compromised machines.
Techniques and Methods of Attack
Attackers have been utilizing this vulnerability alongside another known issue, CVE-2017-0144, a remote code execution flaw in Windows SMB. This combination allows them to infiltrate victim infrastructure effectively. Notably, a series of infections observed in October 2024 in Saudi Arabia were initiated through a deceptive application mimicking OpenAI’s ChatGPT to distribute the malware.
According to Microsoft, it has linked the exploitation of CVE-2025-29824 and the deployment of PipeMagic directly to a threat actor identified as Storm-2460.
Unique Communication Methods
A remarkable aspect of PipeMagic is its innovative communication method. Researchers have noted that it utilizes a random 16-byte array to form a named pipe with the format: \\.\pipe\1.<hex string>. This mechanism facilitates continuous operations by creating and destroying pipes, essential for transmitting encrypted payloads and notifications.
The Architecture of PipeMagic Malware
PipeMagic operates as a modular malware, relying on a domain hosted by Microsoft Azure to stage additional components during an attack. The attacks observed in 2025, particularly against targets in Saudi Arabia and Brazil, have been associated with a file named "metafile.mshi." This file serves as a loader, extracting C# code that decrypts and runs embedded shellcode.
The shellcode itself is configured to function on 32-bit Windows systems and loads an unencrypted executable that is embedded within it. This level of sophistication indicates a well-coordinated effort by attackers to enhance the potency of their malware.
Loader Artifacts and DLL Hijacking
Alongside the PipeMagic backdoor, researchers from Kaspersky have discovered loading artifacts falsely posing as a ChatGPT client in 2025. These artifacts closely resemble those seen during earlier attacks. Notably, they employ DLL hijacking techniques, allowing the attackers to execute a malicious DLL disguised as a legitimate Google Chrome update file named "googleupdate.dll."
Regardless of the approach taken during execution, the end result invariably points back to the deployment of the PipeMagic backdoor, which is equipped with several operational modules:
- Asynchronous Communication Module: This supports multiple commands that allow for file termination, reading, writing operations, and overall session control.
- Loader Module: This module is designed to inject additional payloads directly into memory for execution.
- Injector Module: It specializes in launching C# executables.
Observations of Malware Activity
The recurring instances of PipeMagic in attacks targeting organizations in Saudi Arabia and its emergence in Brazil indicate that this malware remains active and is continuously evolving. The findings also highlight significant improvements in PipeMagic’s functionality compared to earlier versions seen in 2024.
The attacks in 2025 have showcased the use of the ProcDump tool, which was renamed to dllhost.exe, to extract sensitive memory data from the LSASS process.
As organizations continue to face an increase in sophisticated cyber threats like those posed by PipeMagic, vigilance and proactive security measures are imperative to safeguard their infrastructures against such advanced malware tactics.
