Microsoft Windows Flaw Used to Launch PipeMagic RansomExx Malware

Cybersecurity researchers have revealed that threat actors are exploiting a now-patched vulnerability in Microsoft Windows to deploy the PipeMagic malware during RansomExx ransomware attacks. This exploitation hinges on CVE-2025-29824, a privilege escalation vulnerability affecting the Windows Common Log File System (CLFS), which Microsoft addressed in April 2025, according to a report from Kaspersky and BI.ZONE. First identified in 2022, PipeMagic has been utilized in RansomExx attacks targeting industrial sectors in Southeast Asia, functioning as a backdoor that allows remote access and execution of various commands on compromised systems. Past incidents have shown attackers exploiting CVE-2017-0144, a remote code execution vulnerability in Windows SMB, to breach victim networks. Notably, infection chains observed in October 2024 in Saudi Arabia were linked to a fraudulent OpenAI ChatGPT application.

Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware

On August 18, 2025, cybersecurity experts revealed that threat actors exploited a recently patched vulnerability in Microsoft Windows to distribute the PipeMagic malware within RansomExx ransomware operations. This malicious activity specifically took advantage of CVE-2025-29824, a privilege escalation flaw affecting the Windows Common Log File System (CLFS), which Microsoft rectified in April 2025, according to a collaborative report by Kaspersky and BI.ZONE.

The PipeMagic malware emerged on the radar in 2022, primarily targeting industrial sectors in Southeast Asia. Its design allows it to function as a comprehensive backdoor, enabling adversaries to gain remote access and execute a myriad of commands on affected systems. In prior RansomExx incidents, perpetrators leveraged another vulnerability, CVE-2017-0144, which is a remote code execution flaw within the Windows SMB protocol, to infiltrate the networks of their targets.

Recent infection patterns observed in Saudi Arabia in October 2024 involved attackers utilizing a deceptive version of OpenAI’s ChatGPT to facilitate their strategies. This adaptation signals an evolution in the tactics employed by cybercriminals, showcasing their ability to blend sophisticated social engineering techniques with technical exploits.

The exploitation of CVE-2025-29824 illustrates a pressing concern for organizations relying on Windows systems, particularly as attackers increasingly focus on privilege escalation methods to gain deeper network access. According to the MITRE ATT&CK framework, these operations likely involved tactics such as initial access and persistence, concentrated on achieving higher privileges within compromised environments.

Business owners must remain vigilant about the potential risks of lingering vulnerabilities, especially as threat actors continue to adapt their methods. The rise of sophisticated malware like PipeMagic highlights the necessity for proactive cybersecurity measures. Regular updates and patch management, coupled with continuous monitoring for suspicious activity, are critical in mitigating these evolving threats.

As cyberattacks become more intricate, understanding the underlying mechanisms attackers use can help organizations better prepare for potential incursions. Ensuring a robust cybersecurity posture is essential for protecting sensitive data and maintaining operational integrity in an increasingly hostile digital landscape.

Source link

Related Posts

Noodlophile Malware Campaign Broadens Global Scope with Targeted Copyright Phishing Tactics

Aug 18, 2025
Malware / Enterprise Security

The Noodlophile malware actors are intensifying their reach, employing spear-phishing emails and enhanced delivery techniques to target enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region. According to Morphisec researcher Shmuel Uzan, “The Noodlophile campaign, active for over a year, now utilizes sophisticated spear-phishing emails masquerading as copyright infringement notices, complete with reconnaissance-driven details such as specific Facebook Page IDs and company ownership information.” Previously reported by a cybersecurity vendor in May 2025, the Noodlophile campaign initially leveraged fake AI-powered tools as malware lures, which were promoted on social media platforms like Facebook. The shift to copyright infringement tactics, however, is not a new strategy.

The Importance of Security Culture in Reducing Cyber Risk

In an era where organizations have invested two decades in enhancing their security architectures, a stark reality has emerged: advanced tools and technologies alone cannot sufficiently mitigate cyber risks. As technology has evolved, so too have the tactics of cyber attackers, who are increasingly targeting human behavior rather than solely infrastructure vulnerabilities. Recent data shows that the initial breach vector is often not a technical exploit but rather the exploitation of human vulnerabilities.

According to Verizon’s Data Breach Investigations Report, human factors have been the leading cause of breaches for five consecutive years. The most recent report indicates that almost 60% of all breaches in 2024 involved a human element. However, it is essential to clarify a prevalent misconception: the notion that “people are the weakest link” wrongly places the blame solely on employees for breaches.

Public Exploit Combines Two Critical SAP Vulnerabilities, Leaving Unpatched Systems Open to Remote Code Execution

Date: Aug 19, 2025
Category: Vulnerability / Cyber Espionage

A new exploit has emerged that leverages two critical, now-patched vulnerabilities in SAP NetWeaver, putting organizations at significant risk of system compromise and data theft. This exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and enable remote code execution, according to SAP security firm Onapsis.

  • CVE-2025-31324 (CVSS score: 10.0) – Lacks authorization checks in SAP NetWeaver’s Visual Composer development server
  • CVE-2025-42999 (CVSS score: 9.1) – Vulnerability due to insecure deserialization in the same server

These vulnerabilities were patched by SAP in April and May 2025, but not before they were exploited as zero-days by threat actors as early as March. Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been seen exploiting these flaws, along with several espionage groups linked to China targeting critical infrastructures.

New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Techniques

August 19, 2025
Malware / Cyber Attack

Financial institutions, particularly trading and brokerage firms, are currently facing a new threat from a remote access trojan known as GodRAT. According to Kaspersky researcher Saurabh Sharma, this malware is spread through malicious .SCR (screen saver) files disguised as financial documents sent via Skype Messenger. Active as recently as August 12, 2025, the attacks utilize steganography to hide shellcode within image files, enabling the download of the malware from a command-and-control (C2) server. Since September 9, 2024, these screen saver artifacts have targeted regions including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan. Based on Gh0st RAT, GodRAT employs a plugin-based architecture to enhance its capabilities for gathering sensitive information and delivering additional payloads like AsyncRAT.