Follow on X RSS Feed
Malware

PipeMagic Trojan and the Zero-Day Exploits Targeting Windows CLFS

Cybersec Sentinel

2 min read
PipeMagic Trojan and the Zero-Day Exploits Targeting Windows CLFS

Threat Group: Storm-2460
Threat Type: Modular Malware, Zero-Day Exploitation, Ransomware Deployment
Exploited Vulnerabilities: CVE-2025-29824 (CLFS Use-After-Free), CVE-2025-24983 (Win32k Use-After-Free), CVE-2023-28252 (CLFS Out-of-Bounds Write)
Malware Used: PipeMagic Trojan
Threat Score: 8.7/10 – High (due to exploitation of multiple zero-days, advanced evasion techniques, and association with ransomware families like RansomEXX and Nokoyawa)
Last Threat Observation: April 10, 2025

Overview
This report provides a comprehensive analysis of Storm-2460, a threat actor tracked by Microsoft Threat Intelligence, which has been observed exploiting the PipeMagic Trojan and multiple zero-day vulnerabilities to escalate privileges, deploy ransomware, and potentially exfiltrate data. Key vulnerabilities exploited include CVE-2025-29824, CVE-2025-24983, and CVE-2023-28252. The PipeMagic Trojan’s modular, plugin-based design and its use in sophisticated campaigns highlight the actor’s advanced capabilities and adaptability.
Recent campaigns have affected a wide range of sectors—Information Technology, Real Estate, Finance, and Retail—across regions including the United States, Venezuela, Spain, and Saudi Arabia. PipeMagic has been delivered through phishing campaigns and trojanized Rust-based applications masquerading as AI tools, emphasizing the actor’s creative social engineering tactics.

Key Details

  • Delivery Method:
    Storm-2460 uses multiple delivery vectors, including phishing emails with malicious attachments and fake Rust-based ChatGPT applications. These methods effectively lure victims into executing the initial loader for PipeMagic.
  • Target:
    Victims span multiple sectors and geographies, with a focus on organizations that can provide high-value ransomware payouts or critical data for exfiltration.
  • Functions:
    • Modular plugin architecture for extended functionality
    • Advanced evasion techniques, including payload encryption and process injection
    • Exploitation of zero-day and n-day vulnerabilities for privilege escalation
    • Named pipe communication for local control signals
  • Obfuscation:
    PipeMagic employs code encryption, polymorphic techniques, and dynamic API hashing to hinder analysis and detection.
  • Associated Ransomware:
    The actor has deployed ransomware linked to the RansomEXX family and historically associated with Nokoyawa, further increasing the operational impact of their campaigns.

Indicators of Compromise (IoCs)

Domains

  • jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd[.]onion
  • uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd[.]onion

Mitigation and Prevention

  • Patching:
    Apply updates for CVE-2025-29824 (April 2025), CVE-2025-24983 (March 2025), and CVE-2023-28252 (April 2023).
  • EDR/XDR Implementation:
    • Monitor for known IoCs.
    • Detect behavior-based indicators like abnormal named pipe usage, credential dumping, and known CLFS/Win32k exploitation patterns.
  • User Awareness Training:
    Train users to recognize phishing attempts and avoid downloading software from unofficial sources.
  • Application Whitelisting:
    Limit executable code to known, trusted applications to prevent the initial execution of PipeMagic loaders.
  • Threat Intelligence Integration:
    Continuously update security systems with IoCs and TTP information related to PipeMagic and Storm-2460.

Conclusion
Storm-2460’s continued exploitation of zero-day vulnerabilities combined with the sophisticated PipeMagic Trojan underscores the importance of proactive, multi-layered defenses. Organizations must implement comprehensive patch management, robust endpoint detection, and continuous monitoring for behavioral anomalies. By addressing both the technical and human factors, defenders can mitigate the risks posed by advanced threat actors and reduce the likelihood of successful ransomware campaigns.

Sources

  1. The Hacker News - PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
  2. Kaspersky - Kaspersky uncovers PipeMagic backdoor attacks businesses through fake ChatGPT application
  3. SecurityWeek - Newly Patched Windows Zero-Day Exploited for Two Years
  4. AlienVault - Indicators of Compromise