Cybersecurity researchers have uncovered a sophisticated campaign where threat actors leverage a Microsoft Help Index File (.mshi) to deploy the PipeMagic backdoor, marking a notable evolution in malware delivery methods.
This development ties into the exploitation of CVE-2025-29824, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, which Microsoft patched on April 8, 2025.
The vulnerability allowed attackers to escalate privileges from a standard user account, facilitating ransomware deployment by groups like Storm-2460.
Recent Exploitation Tactics
PipeMagic, first identified in December 2022 during RansomExx campaigns targeting industrial firms in Southeast Asia, has since adapted its tactics.
In 2024, it masqueraded as a fake ChatGPT application to infiltrate organizations in Saudi Arabia, using Rust-based loaders built with Tauri and Tokio frameworks to decrypt and execute encrypted payloads via shellcode.
By 2025, infections spread to Brazil and Saudi Arabia, with attackers employing obfuscated C# code in .mshi files to decrypt RC4-encrypted shellcode and inject 32-bit executables.
These loaders dynamically resolve API functions using FNV-1a hashing, creating named pipes like .pipe1.
Microsoft attributed related activity to post-compromise exploitation, where PipeMagic downloads modules from compromised Azure domains, leading to credential dumping via tools like ProcDump disguised as dllhost.exe.
Technical Analysis of Loaders
The 2025 variants introduce diverse loading mechanisms, including DLL hijacking with legitimate files like googleupdate.dll, where malicious logic resides in DllMain to decrypt AES-encrypted payloads in CBC mode using specific keys and IVs.
Once deployed, PipeMagic generates random 16-byte arrays for pipe names and supports graphical modes despite lacking a UI, enabling persistence and lateral movement.
Newly discovered modules enhance functionality: an asynchronous communication plugin uses I/O completion ports to handle file operations like reading, writing, and error flagging via a doubly linked list of descriptors, supporting commands for initialization, termination, and data processing.
According to Kaspersky report, a loader module injects 64-bit payloads by parsing resources, relocating imports through name comparison, and invoking exported functions like DllRegisterService for data exchange.
An injector module patches AMSI interfaces in amsi.dll to evade detection, loading .NET payloads via mscoree.dll after checking runtime versions like 4.0.30319 or 2.0.50727.
Post-exploitation involves dumping LSASS memory with renamed ProcDump to extract credentials, mirroring tactics in CVE-2025-29824 exploits that create CLFS BLF files like C:ProgramDataSkyPDFPDUDrv.blf and inject into system processes.
Ransomware indicators include random file extensions, .onion domains in notes, and commands disabling recovery like bcdedit and wbadmin deletions.
Microsoft recommends applying patches, enabling cloud-delivered protections in Defender, and using EDR in block mode to mitigate such threats.
Indicators of Compromise
| Indicator Type | Value | Description |
|---|---|---|
| Domain | aaaaabbbbbbb.eastus.cloudapp.azure[.]com | C2 server used by PipeMagic |
| Hash (MD5) | 5df8ee118c7253c3e27b1e427b56212c | metafile.mshi loader |
| Hash (MD5) | 60988c99fb58d346c9a6492b9f3a67f7 | chatgpt.exe (2024 variant) |
| Hash (MD5) | 7e6bf818519be0a20dbc9bcb9e5728c6 | chatgpt.exe (2025 variant) |
| Hash (MD5) | e3c8480749404a45a61c39d9c3152251 | googleupdate.dll hijacker |
| Hash (MD5) | 1a119c23e8a71bf70c1e8edf948d5181 | Deployed PE backdoor |
| Hash (MD5) | bddaf7fae2a7dac37f5120257c7c11ba | Additional module |
| Pipe Name | .pipe�104201.%d | Used by injector module |
| Pipe Name | .pipe1.<16-byte hexadecimal string> | Generated for communication |
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
