PipeMagic Malware Evolution: Exploiting CVE-2025-29824 in RansomExx Attacks
Discover how the PipeMagic malware has evolved since 2022, exploiting the Windows CVE-2025-29824 vulnerability in RansomExx attacks. Learn about its tactics, recent campaigns, and the expanding threat to global cybersecurity.
TL;DR
The PipeMagic malware, first detected in 2022, has evolved significantly, with recent campaigns exploiting the Windows CVE-2025-29824 vulnerability to deploy RansomExx attacks. Researchers from Kaspersky and BI.ZONE uncovered its expanded capabilities, including privilege escalation, lateral movement, and evasion techniques, targeting organizations in Saudi Arabia, Brazil, and the United States. This article explores its evolution, tactics, and implications for global cybersecurity.
Introduction
In a rapidly evolving cyber threat landscape, malware like PipeMagic continues to adapt, posing significant risks to organizations worldwide. Originally identified in 2022 as a backdoor used in RansomExx attacks, PipeMagic has since undergone notable transformations, leveraging zero-day vulnerabilities and sophisticated evasion techniques to compromise systems.
A joint report by Kaspersky and BI.ZONE sheds light on its evolution, particularly its exploitation of the Windows Common Log File System vulnerability (CVE-2025-29824). This article delves into the malware’s history, recent campaigns, and the broader implications for cybersecurity.
The Evolution of PipeMagic Malware
Origins and Early Tactics
PipeMagic was first observed in 2022 as a backdoor enabling remote access and command execution. Initially, it was spread using:
- CVE-2017-0144: A vulnerability in Windows SMB (Server Message Block).
- Fake ChatGPT Applications: In 2024, attackers distributed a Rust-based fake ChatGPT app in Saudi Arabia, which appeared as a blank screen but contained AES-encrypted malicious code.
The malware employed API hashing (FNV-1a) to evade detection and used named pipes (e.g., \.\pipe\1.) for encrypted payload transfers.
Exploitation of CVE-2025-29824
In 2025, PipeMagic operators escalated their tactics by exploiting CVE-2025-29824, a Use After Free (UaF) vulnerability in the Windows Common Log File System Driver. This flaw, with a CVSS score of 7.8, allowed attackers to:
- Elevate privileges to SYSTEM level.
- Deploy malware on compromised systems.
Microsoft confirmed that this vulnerability was actively exploited in the wild, prompting its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog in April 2025.
Recent Campaigns and Expanding Capabilities
2024: Fake ChatGPT App in Saudi Arabia
In October 2024, PipeMagic was deployed via a fake Rust-based ChatGPT application that displayed only a blank screen. The attack involved:
- AES-encrypted shellcode hidden within the app.
- Named pipes for payload transfer.
- Communication with a C2 domain hosted on Microsoft Azure.
2025: New Infections in Saudi Arabia and Brazil
By early 2025, PipeMagic infections were detected in Saudi Arabia and Brazil, linked to a domain hosted on Microsoft Azure. Attackers employed multiple loaders, including:
- A malicious Microsoft Help Index file with obfuscated C# code.
- A fake ChatGPT client built using Tauri and Tokio.
- DLL hijacking via a trojanized Google Update DLL.
In all cases, the loaders decrypted and injected payloads into memory to deploy PipeMagic’s backdoor.
Enhanced Modules and Lateral Movement
The 2025 PipeMagic campaign introduced three new modules to expand its capabilities:
- Asynchronous Communication Module: Handled file I/O operations (open, read, write, close).
- Loader Module: Injected payloads via named pipes and executed 64-bit executables.
- Injector Module: Launched .NET payloads, bypassed AMSI (Antimalware Scan Interface), and ensured compatibility with multiple .NET runtimes.
Once a system was compromised, attackers used ProcDump (disguised as dllhost.exe) to:
- Dump LSASS memory.
- Extract credentials.
- Move laterally across the network.
Key Takeaways and Implications
Why PipeMagic Matters
- Evolving Tactics: PipeMagic has continuously adapted, incorporating zero-day exploits and sophisticated evasion techniques.
- Global Threat: Recent campaigns targeted organizations in Saudi Arabia, Brazil, and the United States, indicating a broadening scope.
- Critical Sectors at Risk: Industries such as IT, real estate, and retail have been impacted, highlighting the need for proactive cybersecurity measures.
Mitigation Strategies
Organizations can protect themselves by:
- Patching Vulnerabilities: Apply Microsoft’s security updates promptly.
- Monitoring for Suspicious Activity: Detect unusual named pipe activity and LSASS memory dumps.
- Enhancing Endpoint Security: Use advanced threat detection to identify and block malicious loaders.
Conclusion
The evolution of PipeMagic malware underscores the dynamic nature of cyber threats. By exploiting CVE-2025-29824 and expanding its capabilities, PipeMagic has become a persistent and adaptable threat. Organizations must stay vigilant, prioritize patch management, and invest in robust cybersecurity solutions to mitigate risks.
As cybercriminals continue to refine their tactics, collaborative efforts between researchers, vendors, and organizations will be crucial in combating emerging threats like PipeMagic.
Additional Resources
For further insights, explore:
- Kaspersky’s Report on PipeMagic
- BI.ZONE’s Analysis of CVE-2025-29824
- Microsoft’s Advisory on CVE-2025-29824
- CISA’s KEV Catalog
Follow for more updates:
- Twitter: @securityaffairs
- Facebook: Security Affairs
- Mastodon: @securityaffairs