Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware

The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) addressed by Microsoft in April 2025, as reported by Kaspersky and BI.ZONE.

PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, acting as a backdoor providing remote access and executing commands on compromised hosts.

Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor identified as Storm-2460.

PipeMagic is a plugin-based modular malware using a domain hosted on the Microsoft Azure cloud provider to stage additional components. The 2025 attacks aimed at Saudi Arabia and Brazil relied on a Microsoft Help Index file (“metafile.mshi”) as a loader, which unpacks C# code to decrypt and execute embedded shellcode.

Researchers noted, “The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active, and the attackers continue to develop its functionality.”

To read the complete article see: The Hacker News