Attackers are deploying a sophisticated, modular backdoor that mimics ChatGPT Desktop to disguise itself as part of an attack chain that exploits a critical Windows flaw to deliver the Play ransomware.
A threat group that Microsoft tracks as Storm-2460 is deploying the PipeMagic backdoor in an attack campaign that exploits CVE-2025-29824, an elevation-of-privilege vulnerability in Windows Common Log File System (CLFS) that allows attackers to gain system-level privileges on compromised systems, Microsoft Threat Intelligence (MTI) revealed in a blog post on Aug. 18.
The flaw — found in the CLFS Driver, a kernel-level component that manages logging for different Windows services and applications — was a zero-day flaw when it was discovered in April. Microsoft patched it as part of its April Patch Tuesday raft of security updates.
That hasn’t stopped Storm-2460, aka Play ransomware group, from exploiting unpatched systems affected by the flaw in organizations across multiple sectors and geographies, including the IT, financial, and real estate sectors in the US, Europe, South America, and the Middle East. Microsoft does not associate Play with Storm-2460, though links between the two have been made by other researchers .
In April, Microsoft observed Storm-2460 using the bug to spread ransomware to organizations in the US IT and real estate sectors, financial companies in Venezuela, retail companies in Saudi Arabia, and a Spanish software firm.
Evolution of PipeMagic Backdoor
In addition to deploying ransomware, the group also is wielding an updated version of the PipeMagic backdoor, which allows attackers to maintain a presence and perform other activities on an infected system even after dropping their ransomware payload.
Researchers at Kaspersky — which first discovered PipeMagic in December 2022 — in collaboration with BI.ZONE Vulnerability Research experts also observed new 2025 activity associated with the PipeMagic backdoor that shows “sustained interest” in Saudi Arabian organizations and expansion into the Brazilian manufacturing sector, according to a blog post published over the weekend.
In fact, the researchers said that activity targeting CVE-2025-29824 — the only one among the 121 patched by Microsoft in April that was actively exploited in the wild — was specifically tied to “an exploit integrated into the PipeMagic infection chain,” according to the post.
“The reemergence of PipeMagic confirms that this malware remains active and continues to evolve,” Leonid Bezvershenko, senior security researcher with the Kaspersky Global Research and Analysis Team, said in a statement, with the latest version introducing “enhancements that improve persistence within victims’ infrastructures and facilitate lateral movement within targeted networks.”
While Microsoft said the scope of the campaign and the organizations it affects remains “limited” for now, “the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable,” according to MTI.
Deep Dive into Complex Backdoor
In their analysis of Storm-2460 activity, Microsoft researchers took a deep dive into the PipeMagic backdoor to unveil what makes it tick. First and foremost, infection begins with a malicious in-memory dropper disguised as the open source ChatGPT Desktop Application project, hiding the malware behind a popular artificial intelligence tool.
“The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory,” according to the MTI post.
That embedded payload is PipeMagic, a modular backdoor that communicates with its command-and-control (C2) server over TCP. That malware gets its name because once active, it receives payload modules through a named pipe and its C2 server.
“The malware self-updates by storing these modules in memory using a series of doubly linked lists,” according to MTI’s post. “These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage the backdoor’s capabilities throughout its lifecycle.”
PipeMagic also has an unknown linked list that “lacks an immediately observable function,” but likely is used dynamically by loaded payloads rather than the core backdoor logic itself,” according to MTI.
Once PipeMagic is running in an attack chain, Storm-2460 actors use the CLFS exploit to escalate privileges before launching the ransomware against a compromised organization.
Defending Against Storm-2460 Activity
Given the sophisticated attack chain being used by Storm-2460 and the existence of unpatched systems to exploit, Microsoft recommends that all organizations affected by CVE-2025-29824 patch the vulnerability if they haven’t already.
Other mitigation steps organizations can take to protect themselves include ensuring that tamper protection and network protection are enabled in Microsoft Defender for Endpoint. Microsoft also urged organizations to run endpoint detection and response (EDR) in block mode to block malicious artifacts, even in cases when an antivirus tool does not detect the threat or is in passive mode.
Organizations also should configure investigation and remediation in full automated mode to let endpoint protection solutions take immediate action on alerts to resolve breaches, which will significantly reduce alert volume, Microsoft said. Further, they can turn on cloud-delivered protection in antivirus products to cover rapidly evolving attacker tools and techniques, as “cloud-based machine learning protections block a majority of new and unknown variants,” according to MTI.
