Overview

• Kaspersky and BI.ZONE report that recent intrusions in Saudi Arabia and Brazil used CVE-2025-29824, now patched, to gain SYSTEM privileges before deploying PipeMagic.
• Microsoft tracks the activity as Storm-2460 and links it to RansomExx-related operations spanning multiple industries and regions.
• Initial access has involved a trojanized ChatGPT desktop client from unofficial sources, Microsoft Help Index loaders, and DLL hijacking that impersonated googleupdate.dll.
• PipeMagic uses modular plugins, encrypted named pipes, and in-memory execution, with 2025 variants adding features that strengthen persistence and facilitate lateral movement.
• Researchers published indicators and guidance urging organizations to apply April’s patches, block known Azure-hosted staging domains, and avoid unverified ChatGPT clients.