Overview

• Microsoft and third‑party researchers describe PipeMagic as a modular, in‑memory backdoor that uses encrypted named pipes and linked lists to manage payloads and communications.
• Recent reports document new loaders and delivery vectors, including a trojanized ChatGPT desktop app, a malicious Microsoft Help Index file, and DLL hijacking, with components staged on Azure infrastructure.
• The campaigns leveraged CVE-2025-29824 in the Windows CLFS driver for local privilege escalation, which Microsoft patched in April after confirming limited in‑the‑wild exploitation and CISA added to the KEV catalog.
• Kaspersky and BI.ZONE detail added modules for file operations, payload injection, and .NET execution, as well as the use of ProcDump renamed as dllhost.exe to dump LSASS for credential theft and lateral movement.
• Microsoft attributes the activity to Storm-2460 with ties to ransomware operations including RansomExx, has shipped Defender detections, and urges layered endpoint hardening.