Ethical Hacking News
Researchers have discovered a new piece of malware, PipeMagic, which has been used in a series of ransomware attacks targeting industrial companies in Saudi Arabia and Brazil. The attackers exploited a previously patched security flaw in Microsoft Windows to deploy the malware. This vulnerability was addressed by Microsoft in April 2025, but it appears that threat actors had already discovered and exploited it before its patch was released. The researchers have concluded that the attacks involving PipeMagic are a serious threat to industrial companies.
The PipeMagic malware has been deployed in a series of ransomware attacks targeting industrial companies in Saudi Arabia and Brazil. The attackers exploited a previously patched security flaw in Microsoft Windows to deploy the malware, CVE-2025-29824, which was addressed by Microsoft in April 2025. PipeMagic is a plugin-based modular malware that can be used as a full-fledged backdoor providing remote access and executing various commands. The attackers have been using different methods to deliver the malware, including leveraging a fake OpenAI ChatGPT app and exploiting other known vulnerabilities. The malware features a unique communication method involving named pipes and shellcode that is executed by a loader module. The attackers are tracking this threat as Storm-2460, and organizations are urged to patch their systems and protect against PipeMagic attacks.
The cybersecurity world has been abuzz with the recent discovery of a highly sophisticated malware, dubbed PipeMagic, which has been deployed in a series of ransomware attacks targeting industrial companies in Saudi Arabia and Brazil. According to researchers at Kaspersky and BI.ZONE, the attackers have successfully exploited a previously patched security flaw in Microsoft Windows to deploy the malware.
The vulnerability in question, CVE-2025-29824, is a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS). This vulnerability was addressed by Microsoft in April 2025, but it appears that threat actors had already discovered and exploited it before its patch was released. The exploitation of this vulnerability allows attackers to gain unauthorized access to the system, paving the way for the deployment of the PipeMagic malware.
PipeMagic is a plugin-based modular malware that uses a domain hosted on the Microsoft Azure cloud provider to stage additional components. It is designed to be highly adaptable and can be used in various ways, including as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts.
One unique feature of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: \\.\pipe\1.<hex string>. After that, a thread is launched that continuously creates this pipe, attempts to read data from it, and then destroys it. This communication method is necessary for the backdoor to transmit encrypted payloads and notifications.
The attackers have been using different methods to deliver the malware, including leveraging a fake OpenAI ChatGPT app as bait to infiltrate victim infrastructure. In October 2024, in Saudi Arabia, they spotted exploiting CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate the systems.
Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor it tracks as Storm-2460. The researchers at Kaspersky have also found that the attackers are using a loader module to unpack C# code that decrypts and executes embedded shellcode.
The injected shellcode is executable code for 32-bit Windows systems, which loads an unencrypted executable embedded inside itself. This executable contains additional payloads that can be launched through the backdoor.
The attackers have also been observed leveraging DLL hijacking techniques to run a malicious DLL that mimics a Google Chrome update file ("googleupdate.dll"). The loader module in these cases masquerades as a ChatGPT client, similar to those previously seen in October 2024.
Regardless of the loading method used, it all leads to the deployment of the PipeMagic backdoor that supports various modules, including:
* Asynchronous communication module that supports five commands to terminate the plugin, read/write files, terminate a file operation, or terminate all file operations
* Loader module to inject additional payloads into memory and execute them
* Injector module to launch a C# executable
The researchers at Kaspersky have concluded that the attacks involving PipeMagic are a serious threat to industrial companies in Saudi Arabia and Brazil. They urge organizations to take immediate action to patch their systems and protect against this type of attack.
In conclusion, the recent discovery of the PipeMagic ransomware highlights the ongoing threat landscape in the cybersecurity world. As threat actors continue to evolve and adapt, it is essential for organizations to stay vigilant and proactive in protecting their systems and data.
Related Information:
https://www.ethicalhackingnews.com/articles/Ais-Hidden-Security-Debt-The-PipeMagic-RansomExx-Malware-Exploits-Microsoft-Windows-Vulnerability-ehn.shtml
https://thehackernews.com/2025/08/microsoft-windows-vulnerability.html
https://nvd.nist.gov/vuln/detail/CVE-2017-0144
https://www.cvedetails.com/cve/CVE-2017-0144/
https://nvd.nist.gov/vuln/detail/CVE-2025-29824
https://www.cvedetails.com/cve/CVE-2025-29824/
Published: Mon Aug 18 12:36:23 2025 by llama3.2 3B Q4_K_M
