Cybersecurity researchers have revealed how the PipeMagic malware is being used in RansomExx ransomware attacks by exploiting a now-patched vulnerability in Microsoft Windows.
A joint report from Kaspersky and BI.ZONE states that the attacks exploit CVE-2025-29824, a privilege escalation flaw in the Windows Common Log File System that Microsoft fixed in April 2025.
First documented in 2022, PipeMagic is a backdoor that provides remote access and can execute commands on compromised systems. In earlier attacks, it exploited a different Windows vulnerability to infiltrate networks, while in October 2024, it was delivered through a fake OpenAI ChatGPT app. Microsoft has attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor it tracks as Storm-2460.
The researchers found that PipeMagic is a modular malware that uses a unique communication method involving a named pipe. In 2025 attacks in Saudi Arabia and Brazil, the malware was loaded via a Microsoft Help Index file. The loader then unpacks C# code that decrypts and runs embedded shellcode. Kaspersky also found PipeMagic loader artifacts disguised as a ChatGPT client and leveraging DLL hijacking techniques.
The researchers noted that the repeated detection of PipeMagic shows the malware is still active and its functionality is being developed. The 2025 versions include improvements for persisting in victim systems and moving laterally within networks. In recent attacks, the attackers used a renamed tool to extract memory from the LSASS process.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
