Cybersecurity researchers from Kaspersky and BI.ZONE have uncovered renewed use of the PipeMagic malware in targeted RansomExx ransomware campaigns, leveraging a recently patched Windows vulnerability, CVE-2025-29824. The flaw, a privilege escalation bug in the Windows Common Log File System (CLFS), was exploited to deploy PipeMagic as part of attacks earlier this year in Saudi Arabia and Brazil, with Microsoft attributing the campaign to the threat actor Storm-2460.
PipeMagic, a modular backdoor first observed in 2022, has evolved significantly. It supports remote access, shellcode injection, encrypted communications, and various file operations. In 2025 incidents, attackers used Microsoft Help Index files and DLL hijacking techniques to deliver the malware, including malicious loaders disguised as ChatGPT clients and fake Google Chrome updates. A key technical hallmark of PipeMagic is its use of dynamically generated named pipes to transmit encrypted payloads.
In addition to sophisticated persistence and lateral movement tactics, the latest campaigns employed renamed tools like ProcDump (as dllhost.exe) to dump memory from the LSASS process, a critical Windows component for credential storage. The malware also utilized Microsoft Azure to host its modular components, showcasing the threat actors’ cloud infrastructure abuse.
Canon Medical Systems reported on the Windows Common Log File System Driver Vulnerability (CVE-2022-37969) back in 2022, though the company indicated that the vulnerability was unlikely to impact their products.
The evolution of PipeMagic and its resurgence in real-world intrusions signals a continued threat to industrial and enterprise environments. Researchers warn that despite Microsoft’s patch in April, organizations that have not applied updates remain vulnerable to exploitation and ransomware compromise.
