Hackers are disguising a powerful strain of malware as a ChatGPT desktop application in preparation for ransomware attacks, according to Microsoft.
The company on Monday published a lengthy analysis of PipeMagic — a backdoor used by a threat actor they call Storm-2460.
The group has allegedly used the malware as part of its exploitation of a zero-day vulnerability previously revealed in April. After exploiting the bug, the group deploys ransomware. Microsoft said it has seen Storm-2460 target “multiple sectors and geographies, including the information technology (IT), financial, and real estate sectors in the United States, Europe, South America, and Middle East.”
“While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable,” Microsoft researchers said.
The study backs up reports from the cybersecurity firm Kaspersky, which said in October that it saw cybercriminals using a fake ChatGPT application as bait to deploy the backdoor against entities in Asia and in Saudi Arabia. Kaspersky previously said the malware allows threat actors to steal sensitive information and offers remote access to compromised devices.
Kaspersky initially saw PipeMagic used in 2022 during attacks on entities in Asia, and then observed a resurgence in the use of the tool in September 2024. When the malicious ChatGPT application is opened, victims only see a blank screen with no visible interface.
Researchers at ESET discovered the corresponding zero-day — tracked as CVE-2025-29824 — in March. The bug impacts Windows Common Log File System Driver (CFLS), which is a frequent target of ransomware gangs.
The logging framework was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. It effectively allows users to record a series of steps required for some actions so that they can be either reproduced accurately or undone.
In the advisory on Monday, Microsoft said PipeMagic is a sophisticated malware tool designed to offer hackers flexibility and persistence in a victim’s system.
The malware’s design makes it difficult to detect, and Microsoft’s Threat Intelligence team said it encountered PipeMagic while researching the exploitation of the zero-day.
The hackers use a modified version of GitHub’s open-source ChatGPT project that includes malicious code to decrypt and launch an embedded payload.
“Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware,” Microsoft said.
They did not say what ransomware strain was deployed in the attacks. Kaspersky said in a new blog post on Monday that it saw PipeMagic used alongside a RansomExx ransomware campaign.
The cybersecurity firm Symantec said in May that actors tied to the Play ransomware group were also seen using CVE-2025-29824 in attacks.
Recorded Future
Intelligence Cloud.
