Cybersecurity researchers are lifting the lid on the exploitation of security flawed threat actors currently being patched on Microsoft Windows and deploying plumbing malware on Ransomexx ransomware attacks.
The attacks include the exploitation of CVE-2025-29824, a privilege escalation vulnerability that affects Windows Common File System (CLFS), which Microsoft dealt with in April 2025.
Pipemagic was first documented in 2022 as part of a Ransomexx ransomware attack targeting industrial companies in Southeast Asia.
These attacks have been found that threat actors will exploit CVE-2017-0144, a Windows SMB remote code execution flaw, to infiltrate the victim’s infrastructure. It has been discovered that the subsequent infection chain observed in Saudi Arabia in October 2024 is leveraging the fake Openai ChatGPT app as bait to provide malware.
This early April, Microsoft was attributable to the exploitation of CVE-2025-29824 and the deployment of plumbing to threat actors tracking it as Storm-2460.
“One of Pipemagic’s unique features is \.pipe1.,to generate a random 16-byte array that is used to create pipes with names formatted like Leonid Bezvershenko, Kirill Korchemny, and Ilya Savelyev. “Then, a thread is launched that tries to create this pipe continuously and then attempts to read data from it, destroying it. This communication method is necessary for the backdoor to send encrypted payloads and notifications.”
Pipemagic is plugin-based modular malware that uses domains hosted by Microsoft Azure cloud providers to stage additional components, with the 2025 attack targeting Saudi Arabia and Brazil, relying on the Microsoft Help Index file (“Metafile.mshi”). The loader unpacks the C# code that decrypts and executes the embedded shellcode.
“The injected shellcode is executable code for a 32-bit Windows system,” the researchers said. “Loads an unencrypted executable that is not embedded in the shellcode itself.”
Kaspersky also discovered that in October 2025, it revealed a Pipemagic Loader artifact poses as a ChatGPT client similar to that seen previously. The sample has been observed to utilize DLL hijacking techniques to run malicious dlls that mimic the Google Chrome Update file (“GoogleUpdate.dll”).
Regardless of the loading method used, it all leads to the deployment of pipe magic backdoors that support various modules –
- Asynchronous communications module that supports 5 commands to exit plugins and read/write files, end file operations, or end all file operations
- Loader module that inserts additional payloads into memory and runs
- Launch the Injector module C# executable file
“The repeated detection of Pipemagic in attacks on Saudi organizations and its arrival in Brazil show that malware remains active and attackers continue to develop its functionality,” the researchers said.
“The version detected in 2025 shows improvements to the 2024 version intended to last in the victim system and move laterally within the internal network. In the 2025 attack, the attacker extracted memory from the LSASS process using the procdump tool that was changed to dllhost.exe.”
