Microsoft issues alert on PipeMagic backdoor, posing as the ChatGPT desktop application - here's the info
Breaking News: Sophisticated Malware Framework PipeMagic Targets Multiple Industries
A sophisticated malware framework known as PipeMagic, associated with the financially motivated threat actor group Storm-2460, has been identified by Microsoft as a significant active threat. PipeMagic is a highly advanced, modular backdoor designed for flexibility, stealth, and persistence, enabling attackers to execute various payloads dynamically and maintain robust command-and-control (C2) communication through discrete modules.
Capabilities
PipeMagic's modular architecture grants granular command execution control on compromised systems. It loads payload modules from C2 servers, offloading network communication, code execution, and backdoor functionalities into separate modules. These include an asynchronous communication module, a loader module, and an injector module, among others.
The malware uses loaders masquerading as legitimate applications, notably a ChatGPT Desktop Client and Google Chrome update files, to execute malicious code. PipeMagic has also been observed exploiting the Windows privilege escalation zero-day exploit CVE-2025-29824 in the Common Log File System (CLFS) driver (clfs.sys) to facilitate malware deployment.
The attackers use ProcDump to dump LSASS memory on victim machines, extracting credentials for lateral movement within networks. PipeMagic campaigns have targeted various sectors, including IT, finance, real estate, and manufacturing across the United States, Europe, Middle East, South America, and Asia.
Evolution
First detected in December 2022 tied to RansomExx ransomware campaigns, PipeMagic has evolved with more advanced capabilities. In 2024, it reappeared in attacks on Middle East organizations with the same version. In 2025, it evolved with three additional payload modules extending file I/O and payload injection functionality, improved persistence mechanisms, and expanded geographic targeting.
Attack vectors include Microsoft Help Index files ("metafile.mshi") used as loaders to decrypt and execute shellcode remotely. Continued use of cloud infrastructure (Microsoft Azure) for staging payloads is also a notable feature.
The threat actor: Storm-2460
Storm-2460 is a financially motivated cybercriminal group that employs PipeMagic to deploy ransomware in targeted attacks, leveraging zero-day Windows exploits. Their operations demonstrate continuous development of PipeMagic’s features and persistent targeting of multiple industries worldwide. They emphasize evasion and system control through modular malware design and disguise techniques.
Microsoft recommends a layered defense strategy to mitigate the PipeMagic threat, including enabling tamper protection and network protection in Microsoft Defender for Endpoint, and running endpoint detection and response in block mode.
While the number of PipeMagic victims is described as "limited" by Microsoft, the implications of this sophisticated malware are significant, and organizations are advised to remain vigilant against such threats.
Read also:
- Indian Oil Corporation's Panipat Refinery secures India's inaugural ISCC CORSIA accreditation for Sustainable Aviation Fuel production
- Ford Bets on an Affordable Electric Pickup Revolution with a $30,000 Design
- Rapid Charging Stations for Electric Vehicles Avoiding Grid Overload
- TikTok's Artificial Intelligence Regulation Approach Meets Stiff Opposition from German Trade Union
