Microsoft has delved into the internal workings of PipeMagic, a modular backdoor utilized in a number of ransomware assaults for the reason that starting of this 12 months.
Posing as a authentic open supply ChatGPT Desktop Software, PipeMagic is a complicated malware framework that gives attackers with persistent entry to the compromised system.
The backdoor makes use of modules for its varied capabilities, akin to command-and-control (C&C) communication, and is ready to dynamically execute payloads and supply the attackers with granular management over code execution, Microsoft explains.
“By offloading community communication and backdoor duties to discrete modules, PipeMagic maintains a modular, stealthy, and extremely extensible structure, making detection and evaluation considerably difficult,” the corporate notes.
Attributed to the financially motivated risk actor tracked as Storm-2460, related to the RansomEXX ransomware, PipeMagic has been utilized in assaults exploiting a Home windows zero-day tracked as CVE-2025-29824, towards organizations within the US, Europe, South America, and the Center East.
“Whereas the impacted organizations stay restricted, using a zero-day exploit, paired with a complicated modular backdoor for ransomware deployment, makes this risk notably notable,” Microsoft says.
As a part of the noticed assaults, PipeMagic was deployed in reminiscence. As soon as up and working, the malware obtained its modules via a named pipe, and saved them in reminiscence utilizing doubly linked lists.
The malware was noticed utilizing 4 doubly linked listing constructions, three for storing uncooked payload modules, modules already loaded in reminiscence, and networking modules, and one other believed to be leveraged dynamically by loaded payloads.Commercial. Scroll to proceed studying.
After the networking module establishes C&C communication, the backdoor collects in depth system info and sends it to the server, after which waits for instructions to execute.
Primarily based on the obtained C&C response, the backdoor can execute core performance, execute a selected module, ship a message to the C&C, shut down the networking module and C&C communication, or invoke all modules with particular arguments.
Backdoor performance supported by PipeMagic permits it to work together with modules, delete modules and itself, enumerate working processes, and recollect system info.
“As malware continues to evolve and grow to be extra subtle, we imagine that understanding threats akin to PipeMagic is important for constructing resilient defenses for any group. By exposing the internal workings of this malware, we additionally intention to disrupt adversary tooling and enhance the operational value for the risk actor, making it harder and costly for them to maintain their campaigns,” Microsoft notes.
Associated: Second Ransomware Group Caught Exploiting Home windows Flaw as Zero-Day
Associated: Ransomware Teams, Chinese language APTs Exploit Current SAP NetWeaver Flaws
Associated: BadCam: New BadUSB Assault Turns Linux Webcams Into Persistent Threats
Associated: New FinalDraft Malware Noticed in Espionage Marketing campaign
