PipeMagic Trojan

The PipeMagic Trojan is a sophisticated, modular backdoor malware first identified in 2022. It has been employed in targeted cyberattacks across various regions, including Asia, the Middle East, and the Americas. Notably, PipeMagic has been used to exploit zero-day vulnerabilities in the Windows Common Log File System (CLFS), such as CVE-2025-29824, enabling attackers to escalate privileges to SYSTEM level. This escalation facilitates the deployment of ransomware like RansomEXX and Nokoyawa, leading to significant disruptions in sectors like IT, finance, and retail. The malware often masquerades as legitimate applications, such as a fake ChatGPT app built with Rust, to deceive users into execution. Once active, PipeMagic establishes a backdoor, allowing for data exfiltration, credential theft, and further malware deployment. Its use of encrypted payloads, dynamic API resolution, and communication through named pipes underscores its complexity and the necessity for robust cybersecurity measures.

PipeMagic Trojan Exploits Windows CLFS Zero-Day Vulnerability to Deploy Ransomware

PipeMagic Trojan Exploits Windows CLFS Zero-Day Vulnerability to Deploy Ransomware

Ravi Jain
A newly discovered critical vulnerability, CVE-2025-29824, in the Windows Common Log File System (CLFS) is being actively exploited by the PipeMagic trojan to conduct ransomware attacks across various global industries. This zero-day flaw allows attackers to gain SYSTEM privileges, enabling them to deploy ransomware, such as RansomEXX, and encrypt data. While Windows 11 version 24H2 is not affected, Microsoft has released a patch and advises immediate updates. The attacks involve malicious payloads downloaded from compromised websites, and organizations are urged to implement security best practices to mitigate this ongoing threat, with companies like Technijian offering specialized defense services. ... Read More