Particle.news
Download on the App Store
7 ARTICLES
·
yesterday

Researchers Detail PipeMagic Backdoor Using Fake ChatGPT App and CLFS Exploit

Microsoft now provides Defender detections after confirming PipeMagic’s role in CLFS zero‑day ransomware campaigns.

Image
Fake ChatGPT app spreads PipeMagic malware, warns Microsoft
Image
Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft

Overview

  • New technical analyses from Microsoft, Kaspersky and BI.ZONE describe PipeMagic’s modular, in‑memory design with encrypted named pipes and doubly linked lists managing payloads.
  • Attackers seeded a trojanized copy of the open‑source ChatGPT Desktop app as an in‑memory dropper, alongside other loaders such as a malicious .mshi Help file and DLL hijacking.
  • CVE-2025-29824, a CLFS privilege‑escalation flaw patched in April, remains under limited in‑the‑wild exploitation in targeted intrusions across the United States, Europe, South America and the Middle East.
  • Microsoft attributes the activity to the financially motivated group Storm‑2460 linked to RansomEXX operations, with components and C2 infrastructure observed on Microsoft Azure.
  • Observed post‑exploitation included LSASS credential dumping using ProcDump renamed as dllhost.exe, and vendors published indicators of compromise and mitigation guidance across Defender.