Overview

• Threat actors leveraged a Windows CLFS privilege-escalation vulnerability (CVE-2025-29824) that Microsoft patched in April 2025 to deploy the PipeMagic backdoor.
• Microsoft has attributed the exploitation of the flaw and the backdoor’s use in ransomware chains to the group it tracks as Storm-2460.
• The updated backdoor has been detected in recent campaigns against organizations in Saudi Arabia and Brazil.
• Researchers identified loader artifacts disguised as a fake ChatGPT desktop app and DLL hijacks of googleupdate.dll to evade security tools.
• PipeMagic’s latest variants enable encrypted communication over randomized named pipes, use ProcDump renamed to dllhost.exe for LSASS memory extraction, and establish WebSocket-style command channels.