Cybersecurity researchers have uncovered a classy malware marketing campaign exploiting Microsoft Assist Index Recordsdata (.mshi) to ship the infamous PipeMagic backdoor, marking a big evolution within the risk actors’ ways for the reason that malware’s first detection in 2022.
The marketing campaign, which has focused organizations throughout Saudi Arabia and Brazil all through 2025, demonstrates the attackers’ continued refinement of their an infection strategies and persistence mechanisms.
PipeMagic initially emerged in December 2022 throughout a RansomExx ransomware marketing campaign concentrating on industrial corporations in Southeast Asia.
The malware gained prominence when it was later found exploiting CVE-2025-29824, a vulnerability that Microsoft recognized as being actively exploited within the wild throughout their April 2025 patch cycle.
The backdoor’s operators have demonstrated exceptional adaptability, transitioning from exploiting the CVE-2017-0144 vulnerability of their early campaigns to using extra subtle social engineering methods in latest assaults.
Clean display screen of the faux utility (Supply – Securelist)
The newest iteration of PipeMagic has expanded its geographical attain, with Securelist researchers figuring out infections in a number of areas.
The malware maintains its core performance as a flexible backdoor able to working in two distinct modes: as a complete distant entry device and as a community gateway for lateral motion inside compromised infrastructure.
What distinguishes the 2025 marketing campaign is the attackers’ modern use of Microsoft Assist Index Recordsdata as an preliminary an infection vector.
These recordsdata, sometimes containing metadata for Microsoft assist documentation, have been weaponized to hold obfuscated C# code alongside encrypted payloads.
The malicious .mshi recordsdata leverage the professional MSBuild framework for execution, successfully bypassing conventional safety controls which may flag extra standard executable codecs.
Superior An infection Mechanism By means of MSBuild Exploitation
The an infection chain begins when victims execute the malicious metafile.mshi, which accommodates closely obfuscated C# code paired with an intensive hexadecimal string.
Contents of metafile.mshi (Supply – Securelist)
The execution happens by a fastidiously crafted command line sequence:-
c:windowssystem32cmd.exe “/ok c:windowsmicrosoft.netframeworkv4.0.30319msbuild.exe c:w
The embedded C# code performs twin features inside the an infection course of. First, it decrypts the accompanying shellcode utilizing the RC4 stream cipher with a hardcoded 64-character hexadecimal key (4829468622e6b82ff056e3c945dd99c94a1f0264d980774828aadda326b775e5).
Following profitable decryption, the code executes the shellcode by the Home windows API operate EnumDeviceMonitor, using a method that inserts the shellcode pointer into the operate’s third parameter whereas setting the primary two parameters to zero.
The decrypted shellcode accommodates executable code particularly designed for 32-bit Home windows programs. It employs subtle evasion methods, together with export desk parsing and FNV-1a hashing algorithms to dynamically resolve system API addresses, making static evaluation significantly more difficult.
The shellcode finally masses an unencrypted executable embedded inside its personal construction, establishing the PipeMagic backdoor’s presence on the compromised system and enabling communication by its attribute named pipe infrastructure at 127.0.0.1:8082.
Increase your SOC and assist your crew shield what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
