A ransomware operation called Storm-2460 is using a legitimate open-source ChatGPT desktop application to devise a modular backdoor called PipeMagic on a victim’s device.
Beneath its disguise, PipeMagic is a sophisticated malware tool designed to keep persistent access to compromised devices and distribute malicious software.
In a lengthy analysis, Microsoft says the malware can dynamically execute payloads by communicating with a command-and-control (C2) server using a dedicated networking module, thereby granting the threat actor granular control over code execution on the compromised host.
“By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging,” Microsoft notes in its security blog.
Microsoft’s researchers encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). This vulnerability was fixed back in April, but many systems remain vulnerable because they have not yet installed the patch.
A financially-motivated ransomware gang called Storm-2460 leveraged the vulnerability in targeted attacks to deploy ransomware. This happened to multiple sectors all over the world, including the IT, financial, and real estate sectors in the United States, Europe, South America, and the Middle East.
Curious what others think about this story? Contribute your thoughts to the debate below.
“While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable,” Microsoft Threat Intelligence warns.
Microsoft recommends installing the patch that’s been available since April to ensure systems are fully updated. This will prevent attackers from exploiting the vulnerability in Windows Common Log File System.
In addition, businesses should make sure that tamper protection and network protection are enabled in Microsoft Defender for Endpoint to detect and prevent PipeMagic from deploying.
Your email address will not be published. Required fields are markedmarked