Article Details

PipeMagic Trojan Exploits Windows CLFS Zero-Day Vulnerability to Deploy Ransomware. Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the tech giant said. The vulnerability in question is CVE-2025-29824, a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges. It was fixed by Redmond as part of its Patch Tuesday update for April 2025. Microsoft is tracking the activity and the post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460, with the threat actors also leveraging a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known. However, the threat actors have been observed using the certutil utility to download malware from a legitimate third-party site that was previously compromised to stage the payloads. The malware is a malicious MSBuild file that contains an encrypted payload, which is then unpacked to launch PipeMagic, a plugin-based trojan that has been detected in the wild since 2022. It's worth mentioning here that CVE-2025-29824 is the second Windows zero-day flaw to be delivered via PipeMagic after CVE-2025-24983, a Windows Win32 Kernel Subsystem privilege escalation bug, which was flagged by ESET and patched by Microsoft last month. Previously, PipeMagic was also observed in connection with Nokoyawa ransomware attacks that exploited another CLFS zero-day flaw (CVE-2023-28252). "In some of the other attacks that we attribute to the same actor, we also observed that, prior to exploiting the CLFS elevation-of-privilege vulnerability, the victim's machines were infected with a custom modular backdoor named 'PipeMagic' that gets launched via an MSBuild script," Kaspersky pointed out in April 2023. "The exploit targets a vulnerability in the CLFS kernel driver," the Microsoft Threat Intelligence team explained. "The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process's token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes." Successful exploitation is followed by the threat actor extracting user credentials by dumping the memory of LSASS and encrypting files on the system with a random extension. Microsoft said it was unable to obtain a ransomware sample for analysis, but said that the ransom note dropped after encryption included a TOR domain tied to the RansomEXX ransomware family. "Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access," Microsoft said. "They then use privileged access for widespread deployment and detonation of ransomware within an environment."