We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Exploitation of CLFS zero-day leads to ransomware activity

April 9, 2025

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have identified a concerning post-compromise exploitation of a zero-day elevation of privilege vulnerability within the Windows Common Log File System (CLFS). This vulnerability, designated as CVE-2025-29824, has been leveraged against a select group of organizations across various sectors, including information technology and real estate in the United States, the financial sector in Venezuela, a software company in Spain, and retail operations in Saudi Arabia. In response, Microsoft issued security updates on April 8, 2025, to mitigate this risk.

In their investigation, Microsoft uncovered that the exploit was utilized by PipeMagic malware, with the activity attributed to a group known as Storm-2460. This group has a history of employing PipeMagic to facilitate ransomware deployment. The significance of post-compromise elevation of privilege exploits lies in their ability to transform initial access—often gained through commodity malware—into privileged access, allowing for extensive ransomware deployment within affected environments. Microsoft emphasizes the importance of prioritizing security updates for such vulnerabilities to bolster defenses against potential ransomware attacks.

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)

The identified exploit targets a zero-day vulnerability in the CLFS kernel driver, enabling attackers with standard user privileges to escalate their access. This vulnerability was effectively patched by Microsoft on April 8, 2025.

Pre-exploitation activity

While the exact vectors for initial access remain undetermined, notable pre-exploitation behaviors have been observed from Storm-2460. In several instances, the threat actor employed the certutil utility to download a file from a previously compromised legitimate third-party website, which was used to host their malware.

This file, an MSBuild file containing an encrypted malware payload, was decrypted and executed via the EnumCalendarInfoA API callback, revealing the presence of PipeMagic. Previous documentation by Kaspersky in October 2024 and observations by ESET in 2023 have linked PipeMagic to the deployment of zero-day exploits, including one for a Win32k vulnerability (CVE-2025-24983). A domain associated with PipeMagic, aaaaabbbbbbb.eastus.cloudapp.azure[.]com, has since been disabled by Microsoft.

CLFS exploit activity

Once PipeMagic was deployed, attackers executed the CLFS exploit from a dllhost.exe process. This exploit targets a vulnerability in the CLFS kernel driver, initially using the NtQuerySystemInformation API to leak kernel addresses to user mode. However, starting with Windows 11, version 24H2, access to specific System Information Classes within this API is restricted to users with SeDebugPrivilege, typically reserved for administrative users, rendering the exploit ineffective on this version of Windows.

The exploit further employs memory corruption techniques and the RtlSetAllBits API to overwrite the exploit process’s token, granting it all privileges and enabling process injection into SYSTEM processes. During this exploitation, a CLFS BLF file is created at the path C:ProgramDataSkyPDFPDUDrv.blf.

Post-exploitation activity leads to ransomware activity

Upon successful exploitation, a payload is injected into winlogon.exe, which subsequently injects the Sysinternals tool procdump.exe into another dllhost.exe instance, executing it with a command line designed to dump the memory of LSASS and extract user credentials.

Following this, Microsoft observed ransomware activity on the targeted systems, characterized by file encryption and the addition of random extensions, alongside the creation of a ransom note named !READMEREXX2!.txt. This ransomware activity is tracked under the label Storm-2460.

While a sample of the ransomware was not available for analysis, several notable indicators surrounding the activity have been documented:

  • Two .onion domains were identified in the ransom notes, including uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion.
  • The ransomware is initiated from dllhost.exe using a command line format that includes –do [pathtoransom].
  • Each device sees a unique random extension applied to encrypted files, consistent across all files on that device.
  • Commands executed to hinder recovery or analysis include:
    • bcdedit /set {default} recoveryenabled no
    • wbadmin delete catalog -quiet
    • wevtutil cl Application
  • In one instance, the actor executed notepad.exe as SYSTEM.

Mitigation and protection guidance

Microsoft’s security updates released on April 8, 2025, address CVE-2025-29824. Notably, systems running Windows 11, version 24H2, are not vulnerable to the observed exploitation, even if the vulnerability exists. Microsoft strongly encourages customers to apply these updates promptly.

To mitigate the impact of activities associated with Storm-2460, Microsoft recommends the following strategies:

  • Consult the blog titled Ransomware as a service: Understanding the cybercrime gig economy for comprehensive measures against ransomware.
  • Enable cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus solutions to safeguard against rapidly evolving threats.
  • Utilize device discovery to enhance network visibility by identifying unmanaged devices and integrating them into Microsoft Defender for Endpoint.
  • Run EDR in block mode to ensure that Microsoft Defender for Endpoint can neutralize malicious artifacts, even when other antivirus solutions fail to detect them.
  • Activate full automated mode for investigation and remediation to allow Microsoft Defender for Endpoint to respond to alerts efficiently, thereby reducing alert volume.
  • For Microsoft 365 Defender customers, enable attack surface reduction rules to thwart common ransomware attack techniques.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can access a list of relevant detections that coordinate detection, prevention, investigation, and response across various platforms to provide integrated protection against the discussed threats.

Microsoft Defender Antivirus

Microsoft Defender Antivirus identifies threats linked to this activity as follows:

  • SilverBasket (Win64/Windows)
  • MSBuildInlineTaskLoader.C (Script/Windows)
  • SuspClfsAccess (Win32/Windows)

Microsoft Defender for Endpoint

The following alerts may indicate threat activity associated with this incident, although they may also be triggered by unrelated activities:

  • A process was injected with potentially malicious code.
  • Potential Windows DLL process injection detected.
  • Suspicious access to LSASS service.
  • Sensitive credential memory read observed.
  • Suspicious process injection noted.
  • File backups deleted.
  • Ransomware behavior detected in the file system.

Microsoft Security Copilot

Customers utilizing Security Copilot can leverage a standalone experience to create custom prompts or utilize pre-built promptbooks for automating incident response and investigative tasks related to this threat:

  • Incident investigation
  • Microsoft User analysis
  • Threat actor profile
  • Threat Intelligence 360 report based on MDTI article
  • Vulnerability impact assessment

Note that some promptbooks may require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Hunting queries

Microsoft Sentinel

Customers using Microsoft Sentinel can deploy TI Mapping analytics to automatically correlate the malicious domain indicators mentioned in this report with their workspace data. If these analytics are not currently in place, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub for deployment.

Search for devices with CVE-2025-29814 exposure

DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2025-29814")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Detect CLFS BLF file creation post-exploitation of CVE 2025-29824

DeviceFileEvents 
| where FolderPath has "C:ProgramDataSkyPDF" and FileName endswith ".blf"

LSASS process dumping activity

SecurityEvent 
  | where EventID == 4688
  | where CommandLine has("dllhost.exe -accepteula -r -ma lsass.exe") 
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer

Ransomware process activity

let cmdlines = dynamic(["C:Windowssystem32dllhost.exe --do","bcdedit /set {default} recoveryenabled no","wbadmin delete catalog -quiet","wevtutil cl Application"]);
DeviceProcessEvents 
| where ProcessCommandLine has_any (cmdlines)
| project TimeGenerated, DeviceName, ProcessCommandLine, AccountDomain, AccountName

PipeMagic and RansomEXX ransomware domains

let domains = dynamic(["aaaaabbbbbbb.eastus.cloudapp.azure.com","jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion","uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion"]);
DeviceNetworkEvents
| where RemoteUrl has_any (domains)
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Indicators of compromise

Indicator Type Description
C:ProgramDataSkyPDFPDUDrv.blf Path Dropped during CLFS exploit
C:Windowssystem32dllhost.exe –do Command line Injected dllhost
bcdedit /set {default} recoveryenabled no Command line Ransomware command
wbadmin delete catalog -quiet Command line Ransomware command
wevtutil cl Application Command line Ransomware command
aaaaabbbbbbb.eastus.cloudapp.azure[.]com Domain Used by PipeMagic

References

Learn more

For the latest insights and security research from the Microsoft Threat Intelligence community, visit the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To stay informed about new publications and engage in discussions on social media, follow Microsoft on LinkedIn: https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter): https://x.com/MsftSecIntel.

For stories and insights from the Microsoft Threat Intelligence community regarding the evolving threat landscape, tune into the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

Winsage
Exploitation of CLFS zero-day leads to ransomware activity