A sophisticated malware campaign has been identified, utilizing PipeMagic, a highly modular backdoor deployed by the financially motivated threat actor Storm-2460.\u00a0<\/p>\n
This advanced malware masquerades as a legitimate open-source ChatGPT Desktop Application while exploiting the zero-day vulnerability CVE-2025-29824 in Windows Common Log File System<\/a> (CLFS) to deploy ransomware across multiple sectors globally.<\/p>\n The threat actor leverages a trojanized version of the popular ChatGPT Desktop Application available on GitHub, using it as a delivery mechanism for the PipeMagic backdoor.\u00a0<\/p>\n This deceptive approach allows the malware<\/a> to bypass initial user suspicion while establishing persistent access to compromised systems.\u00a0<\/p>\n The observed targets span information technology, financial, and real estate sectors across the United States, Europe, South America, and the Middle East, demonstrating the campaign\u2019s broad geographic scope and cross-industry impact.<\/p>\n Microsoft reports<\/a> that the PipeMagic employs a complex infection sequence beginning with a malicious MSBuild file downloaded via the certutil utility from compromised legitimate websites.\u00a0<\/p>\n The initial stage features an in-memory dropper disguised as the legitimate ChatGPT<\/a> application, which decrypts and launches the embedded PipeMagic payload directly into memory to evade detection.<\/p>\n The malware generates a unique 16-byte bot identifier for each infected host and establishes a named pipe using the format \\.pipe1.<Bot ID hex string> for payload delivery.\u00a0<\/p>\n This bidirectional communication channel enables continuous module deployment while maintaining stealth.\u00a0<\/p>\n The system utilizes RC4 encryption with a hardcoded 32-byte key and performs SHA-1 hash validation to ensure payload integrity during transmission.<\/p>\n PipeMagic\u2019s technical sophistication lies in its use of four distinct doubly linked list structures: payload, execute, network, and unknown lists, each serving specific functions within the backdoor\u2019s architecture.<\/p>\n The malware maintains persistent command-and-control (C2)<\/a> communication through a dedicated networking module that handles TCP connections to the domain aaaaabbbbbbb.eastus.cloudapp.azure[.]com:443, which Microsoft has subsequently disabled.<\/p>\n The backdoor supports over 20 different operational commands, including system reconnaissance, module management, process enumeration, and payload execution.\u00a0<\/p>\n Critical capabilities include backdoor code 0xF for self-deletion and 0x11 for module replacement, enabling dynamic operational adaptation.\u00a0<\/p>\n The malware collects comprehensive system information, including OS version, domain membership, integrity levels, and network configuration, before transmitting data to C2 servers.<\/p>\n Microsoft recommends enabling tamper protection and network protection in Defender for Endpoint, alongside implementing EDR in block mode for post-breach artifact remediation.\u00a0<\/p>\n Organizations should prioritize deploying patches for CVE-2025-29824<\/a> and utilize cloud-delivered protection to defend against rapidly evolving attack variants.<\/p>\n Microsoft Defender<\/a> XDR provides specific detections for PipeMagic variants, including alerts for active malware processes and ransomware-linked threat group activities.\u00a0<\/p>\n The campaign highlights the critical importance of maintaining updated security controls and monitoring for suspicious named pipe communications and unusual ChatGPT application behavior across enterprise environments.<\/p>\n The post PipeMagic Malware Mimic as ChatGPT App Exploits Windows Vulnerability to Deploy Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/strong>
<\/mark>1. PipeMagic masquerades as ChatGPT Desktop App while exploiting a Windows zero-day.
2. Features a modular design with encrypted named pipe communication and dynamic payload loading to evade detection.
3. Storm-2460 targets IT, financial, and real estate sectors worldwide.<\/pre>\nPipeMagic Modular Backdoor<\/strong><\/h2>\n
Mitigations<\/strong><\/h2>\n
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time.\u00a0Start with an\u00a0ANYRUN sandbox trial<\/a>\u00a0\u2192\u00a0<\/code><\/strong><\/p>\n
![\"Bot](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdHsGQwf8ykor3Do5ZlFzLLgPTqSms7nFXAvGWaEHk3DVe4jBoT4f-QfwJaaqrOzBLTVCHUa9MVNCXchoxBj5jaj_xYQ5RlFFvGvD5cUkFH1fmcDOUVqyrQozd3TAByNsahWqxjAw?key=dktAokkZIZnxmog4BcIQag\")
![\"Populating](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfbrzMM3z9vfTgMC7YfVRJYIzujr4-XC4XNPutZEt8HKuA3FEU2ClBdINHnP8n4fFLzlwyP17bw8jTnrnVIcZEnEAHWO5ha9ZL8wyOqOeLdKszVUej7Pz2RigfwbHSa1NoGCyA3LQ?key=dktAokkZIZnxmog4BcIQag\")