Emerging Threats in Cybersecurity: The Rise of PipeMagic
In a recent analysis, Microsoft has raised alarms about a sophisticated strain of malware known as PipeMagic, which is being disguised as a ChatGPT desktop application. This malware is linked to a threat actor identified as Storm-2460, who is reportedly preparing for ransomware attacks. Microsoft’s findings, released on Monday, detail how this backdoor exploits a zero-day vulnerability that was first disclosed in April.
The implications of this malware are significant, as Storm-2460 has targeted various sectors across multiple regions, including the information technology, financial, and real estate industries in the United States, Europe, South America, and the Middle East. Microsoft researchers noted that while the number of affected organizations remains relatively small, the combination of a zero-day exploit and a modular backdoor for ransomware deployment makes this threat particularly concerning.
This analysis aligns with earlier reports from cybersecurity firm Kaspersky, which indicated that cybercriminals have been using a counterfeit ChatGPT application as bait to deploy the PipeMagic backdoor against targets in Asia and Saudi Arabia. Kaspersky has highlighted that this malware not only facilitates the theft of sensitive information but also provides remote access to compromised devices.
PipeMagic first emerged in 2022 during attacks on Asian entities, but its usage saw a resurgence in September 2024. Victims who open the malicious ChatGPT application are met with a blank screen, devoid of any visible interface, making detection challenging.
Researchers at ESET identified the corresponding zero-day vulnerability, tracked as CVE-2025-29824, in March. This bug affects the Windows Common Log File System Driver (CFLS), which has historically been a frequent target for ransomware groups. The CFLS logging framework, introduced by Microsoft in Windows Server 2003 R2, allows users to record and reproduce actions, making it a valuable tool for both legitimate and malicious activities.
Microsoft’s advisory elaborated on the capabilities of PipeMagic, describing it as a sophisticated malware tool that grants hackers both flexibility and persistence within a victim’s system. The design of the malware complicates detection efforts, and Microsoft’s Threat Intelligence team encountered PipeMagic while investigating the exploitation of the aforementioned zero-day vulnerability.
To execute their attacks, hackers have modified an open-source version of GitHub’s ChatGPT project, embedding malicious code that decrypts and launches a payload. Once PipeMagic is operational, the threat actor exploits the CLFS vulnerability to escalate privileges before deploying ransomware. While Microsoft has not disclosed the specific strain of ransomware involved, Kaspersky has reported that PipeMagic was utilized in conjunction with a RansomExx ransomware campaign. Additionally, Symantec noted in May that actors associated with the Play ransomware group have also exploited CVE-2025-29824 in their attacks.
