A classy malware marketing campaign has been recognized, using PipeMagic, a extremely modular backdoor deployed by the financially motivated risk actor Storm-2460.
This superior malware masquerades as a reputable open-source ChatGPT Desktop Software whereas exploiting the zero-day vulnerability CVE-2025-29824 in Home windows Frequent Log File System (CLFS) to deploy ransomware throughout a number of sectors globally.
Key Takeaways1. PipeMagic masquerades as ChatGPT Desktop App whereas exploiting a Home windows zero-day.2. Contains a modular design with encrypted named pipe communication and dynamic payload loading to evade detection.3. Storm-2460 targets IT, monetary, and actual property sectors worldwide.
The risk actor leverages a trojanized model of the favored ChatGPT Desktop Software obtainable on GitHub, utilizing it as a supply mechanism for the PipeMagic backdoor.
This misleading strategy permits the malware to bypass preliminary consumer suspicion whereas establishing persistent entry to compromised programs.
The noticed targets span data expertise, monetary, and actual property sectors throughout america, Europe, South America, and the Center East, demonstrating the marketing campaign’s broad geographic scope and cross-industry impression.
PipeMagic Modular Backdoor
Microsoft stories that the PipeMagic employs a fancy an infection sequence starting with a malicious MSBuild file downloaded through the certutil utility from compromised reputable web sites.
The preliminary stage options an in-memory dropper disguised because the reputable ChatGPT utility, which decrypts and launches the embedded PipeMagic payload immediately into reminiscence to evade detection.
The malware generates a singular 16-byte bot identifier for every contaminated host and establishes a named pipe utilizing the format .pipe1. for payload supply.
Bot ID era
This bidirectional communication channel allows steady module deployment whereas sustaining stealth.
The system makes use of RC4 encryption with a hardcoded 32-byte key and performs SHA-1 hash validation to make sure payload integrity throughout transmission.
PipeMagic’s technical sophistication lies in its use of 4 distinct doubly linked listing buildings: payload, execute, community, and unknown lists, every serving particular capabilities throughout the backdoor’s structure.
Populating payload module with pipe knowledge
The malware maintains persistent command-and-control (C2) communication by way of a devoted networking module that handles TCP connections to the area aaaaabbbbbbb.eastus.cloudapp.azure[.]com:443, which Microsoft has subsequently disabled.
The backdoor helps over 20 completely different operational instructions, together with system reconnaissance, module administration, course of enumeration, and payload execution.
Crucial capabilities embrace backdoor code 0xF for self-deletion and 0x11 for module alternative, enabling dynamic operational adaptation.
The malware collects complete system data, together with OS model, area membership, integrity ranges, and community configuration, earlier than transmitting knowledge to C2 servers.
Mitigations
Microsoft recommends enabling tamper safety and community safety in Defender for Endpoint, alongside implementing EDR in block mode for post-breach artifact remediation.
Organizations ought to prioritize deploying patches for CVE-2025-29824 and make the most of cloud-delivered safety to defend in opposition to quickly evolving assault variants.
Microsoft Defender XDR supplies particular detections for PipeMagic variants, together with alerts for energetic malware processes and ransomware-linked risk group actions.
The marketing campaign highlights the important significance of sustaining up to date safety controls and monitoring for suspicious named pipe communications and strange ChatGPT utility habits throughout enterprise environments.
Safely detonate suspicious recordsdata to uncover threats, enrich your investigations, and minimize incident response time. Begin with an ANYRUN sandbox trial →
