Threat actors exploited the CVE-2025-29824 vulnerability in Microsoft Windows to deploy PipeMagic malware, utilized in RansomExx ransomware attacks. This privilege escalation vulnerability affected the Windows Common Log File System and was patched by Microsoft in April 2025. PipeMagic, documented in 2022, serves as a backdoor for executing commands on compromised hosts. Attack methods included leveraging a remote code execution flaw in Windows SMB and distributing the malware through a fake OpenAI ChatGPT application. Awards for the attacks were primarily noted in Saudi Arabia and Brazil with a Microsoft Help Index file functioning as a loader.
"One unique feature of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: \\.\pipe\1.<hex string>. After that, a thread is launched that continuously creates this pipe, attempts to read data from it, and then destroys it. This communication method is necessary for the backdoor to transmit encrypted payloads and notifications."
"PipeMagic is a plugin-based modular malware that uses a domain hosted on the Microsoft Azure cloud provider to stage the additional components, with 2025 attacks aimed at Saudi Arabia and Brazil relying on a Microsoft Help Index file ('metafile.mshi') as a loader."
Collection
[
|
...
]