{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"PipeMagic Backdoor: How Ransomware Actors Exploited a Windows Zero-Day","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/b5a0faf1\"></iframe>","width":"100%","height":180,"duration":3295,"description":"In early 2025, Microsoft and security researchers uncovered PipeMagic, a modular and memory-resident backdoor that has been quietly leveraged in ransomware campaigns worldwide. Disguised as a legitimate ChatGPT desktop application, this sophisticated malware granted persistent access, precise control, and stealthy communication channels to its operators. Attributed to Storm-2460, a financially motivated threat group linked to the RansomEXX ransomware family, PipeMagic represents a dangerous evolution in ransomware delivery and persistence.PipeMagic exploited a critical Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS), allowing attackers to escalate privileges to SYSTEM level. Once inside, the malware used named pipes and doubly linked lists to store modules in memory—making detection nearly impossible for traditional security tools. Its modular design enabled flexible capabilities, from data collection and process control to credential dumping and system manipulation, all while communicating covertly with attacker-controlled command-and-control servers.Storm-2460 paired PipeMagic with a host of post-exploitation tactics: dumping credentials from LSASS, deleting backups to prevent recovery, and disabling Windows recovery options before deploying ransomware payloads. Combined with advanced anti-forensic techniques like patching AMSI functions, clearing event logs, and evading endpoint detection, PipeMagic exemplifies the fileless, stealth-driven future of cybercrime.Beyond its technical innovations, PipeMagic underscores the shifting ransomware landscape. Threat actors are embracing modular malware, AI-powered social engineering, and zero-day exploits as standard tools of the trade. Groups like Storm-2460 exploit unpatched vulnerabilities, impersonate legitimate applications, and weaponize living-off-the-land techniques to bypass defenses and achieve maximum impact.For defenders, the lessons are clear: traditional signature-based...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}