Cybersecurity researchers have recently unveiled a sophisticated malware campaign that exploits Microsoft Help Index Files (.mshi) to deploy the infamous PipeMagic backdoor. This development signifies a notable evolution in the tactics employed by threat actors since the malware was first detected in 2022.
The campaign has primarily targeted organizations in Saudi Arabia and Brazil throughout 2025, reflecting the attackers’ ongoing refinement of their infection methods and persistence mechanisms.
PipeMagic first emerged in December 2022 during a RansomExx ransomware campaign aimed at industrial companies in Southeast Asia. Its notoriety grew when it was later found to exploit CVE-2025-29824, a vulnerability that Microsoft recognized as being actively exploited in the wild during their April 2025 patch cycle.
The operators of this backdoor have shown remarkable adaptability, evolving from their initial exploitation of the CVE-2017-0144 vulnerability to employing more sophisticated social engineering techniques in recent attacks.
The latest iteration of PipeMagic has broadened its geographical reach, with researchers from Securelist identifying infections across various regions. The malware retains its core functionality as a versatile backdoor, capable of functioning in two distinct modes: as a comprehensive remote access tool and as a network gateway for lateral movement within compromised infrastructures.
What sets the 2025 campaign apart is the attackers’ innovative use of Microsoft Help Index Files as an initial infection vector. These files, which typically contain metadata for Microsoft help documentation, have been weaponized to carry obfuscated C# code alongside encrypted payloads.
The malicious .mshi files utilize the legitimate MSBuild framework for execution, effectively circumventing traditional security controls that might flag more conventional executable formats.
Advanced Infection Mechanism Through MSBuild Exploitation
The infection chain commences when victims execute the malicious metafile.mshi, which contains heavily obfuscated C# code paired with an extensive hexadecimal string.
The execution is initiated through a meticulously crafted command line sequence:
c:windowssystem32cmd.exe "/k c:windowsmicrosoft.netframeworkv4.0.30319msbuild.exe c:wThe embedded C# code serves dual purposes within the infection process. Initially, it decrypts the accompanying shellcode using the RC4 stream cipher with a hardcoded 64-character hexadecimal key (4829468622e6b82ff056e3c945dd99c94a1f0264d980774828aadda326b775e5).
Upon successful decryption, the code executes the shellcode through the Windows API function EnumDeviceMonitor, employing a technique that inserts the shellcode pointer into the function’s third parameter while setting the first two parameters to zero.
The decrypted shellcode contains executable code specifically tailored for 32-bit Windows systems. It utilizes advanced evasion techniques, including export table parsing and FNV-1a hashing algorithms, to dynamically resolve system API addresses, thereby complicating static analysis.
Ultimately, the shellcode loads an unencrypted executable embedded within its own structure, establishing the PipeMagic backdoor’s presence on the compromised system and enabling communication through its characteristic named pipe infrastructure at 127.0.0.1:8082.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
