Hackers exploited Windows flaw CVE-2025-29824 to deploy PipeMagic malware in RansomExx attacks, Kaspersky revealed.
A joint report from Kaspersky and BI.ZONE analyzed the evolution of PipeMagic malware from its first detection in 2022 to new infections observed in 2025. The researchers identified key changes in its operators’ tactics. BI.ZONE experts focused on a technical analysis of the CVE-2025-29824 vulnerability exploited to deploy PipeMagic malware RansomExx attacks.
In May, the Play ransomware gang exploited a Windows Common Log File System flaw CVE-2025-29824 in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
The vulnerability CVE-2025-29824, (CVSS score of 7.8) is a Use after free in Windows Common Log File System Driver that allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this flaw could gain SYSTEM privileges, Microsoft confirmed that the vulnerability has been exploited in attacks in the wild.
In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Microsoft addressed the flaw in April’s Patch Tuesday security updates, and the IT giant confirmed that the flaw has been exploited in a limited number of attacks against entities worldwide, including organizations in the information technology (IT) and real estate sectors of the United States, and the retail sector in Saudi Arabia.
PipeMagic, first seen in 2022 RansomExx attacks, is a backdoor enabling remote access and command execution. It was spread via CVE-2017-0144 in Windows SMB and later through a fake ChatGPT app in Saudi Arabia in 2024.
In April 2025, Microsoft linked its use of CVE-2025-29824 to Storm-2460, showing the malware’s evolving role in targeted campaigns against critical sectors.
In October 2024, PipeMagic attacks in Saudi Arabia spread via a fake Rust-based ChatGPT app showing only a blank screen. Hidden inside, AES-encrypted code unpacked shellcode that deployed the backdoor, using API hashing (FNV-1a) to evade analysis. PipeMagic created random named pipes (\.\pipe\1.) for encrypted payload transfer, linked locally to 127.0.0.1:8082. The malware fetched modules from a C2 domain hosted on Microsoft Azure.
In early 2025, new PipeMagic infections were spotted in Saudi Arabia and Brazil, traced to a domain hosted on Microsoft Azure. The malware used several loaders: a malicious Microsoft Help Index file with obfuscated C# code that decrypted and executed RC4-encrypted shellcode. Attackers used a fake ChatGPT client built with Tauri and Tokio, reusing techniques from 2024 attacks; and DLL hijacking via a trojanized Google update DLL. In all cases, the loaders decrypted payloads (often with AES) and injected them into memory to deploy PipeMagic’s backdoor.
“In January 2025, we detected new infections in Saudi Arabia and Brazil. Further investigation revealed connections to the domain hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which suggested a link between this attack and PipeMagic. Later, we also found the backdoor itself.” states the report published by Kaspersky.
Investigating the 2025 PipeMagic campaign, researchers found three extra modules expanding its capabilities. The asynchronous communication module handled file I/O through commands like open, read, write, and close, though its model wasn’t fully asynchronous. The loader module injected payloads, communicating via named pipes and executing embedded 64-bit executables with a DllRegisterService interface. The injector module launched .NET payloads, bypassed AMSI by patching its scan functions, and ensured compatibility with multiple .NET runtimes.
“During our investigation of the 2025 attacks, we discovered additional plugins used in this malicious campaign. In total, we obtained three modules, each implementing different functionality not present in the main backdoor. All the modules are executable files for 32-bit Windows systems.” continues the report.
Once a target machine is compromised, attackers use ProcDump disguised as dllhost.exe to dump LSASS memory, storing it in the victim’s AppData. Attackers extract credentials from this dump, then move laterally across the network. This exact LSASS-dumping method was also highlighted by Microsoft in relation to CVE-2025-29824.
“The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active and that the attackers continue to develop its functionality.” concludes the report. “The versions detected in 2025 show improvements over the 2024 version, aimed at persisting in victim systems and moving laterally within internal networks.”
The report also includes indicators of compromise (IoCs) for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PipeMagic malware)
