PipeMagic Malware Imitates ChatGPT App to Exploit Windows Vulnerability and Deploy Ransomware

The PipeMagic malware, which is credited to the financially motivated threat actor Storm-2460, is a remarkable illustration of how cyber dangers are always changing. It poses as the genuine open-source ChatGPT Desktop Application from GitHub.

This sophisticated modular backdoor facilitates targeted attacks by exploiting CVE-2025-29824, an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS).

Microsoft Threat Intelligence identified PipeMagic during investigations into attack chains where adversaries used certutil to download a malicious MSBuild file from compromised legitimate websites, leading to in-memory execution of the backdoor.

Once deployed, PipeMagic enables privilege escalation and ransomware deployment across sectors including IT, finance, and real estate in regions like the United States, Europe, South America, and the Middle East.

Enables Zero-Day Exploitation

The malware’s architecture emphasizes flexibility and persistence, dynamically loading payloads via a dedicated networking module for command-and-control (C2) communication over TCP, while employing encrypted inter-process communication through named pipes to evade detection.

PipeMagic initializes with a 16-byte random bot identifier and spawns a thread to create a bidirectional named pipe formatted as ‘.pipe1.’, allowing continuous payload delivery.

Incoming modules are decrypted using a hardcoded 32-byte RC4 key, validated via SHA-1 hashing, and stored in a doubly linked list structure.

The malware maintains four such lists: one for raw payload modules in PE format, another for executable modules loaded into memory, a network list for C2 handling, and an unknown list possibly for dynamic payload staging.

Configuration data, including a now-disabled C2 domain (aaaaabbbbbbb.eastus.cloudapp.azure.com:443), is parsed to manage operations, with fallback to local loopback for testing.

The embedded network module, XOR-decrypted and decompressed via aPLib, establishes TCP connections, exporting functions for data transmission and termination, while limiting attempts to five per session.

Advanced Capabilities

Upon C2 connection, PipeMagic collects extensive system information such as bot ID, OS version, process details, integrity levels, and domain affiliations and transmits it via HTTP GET requests with randomized paths.

Responses are processed through outer commands that trigger inner backdoor functionalities, enabling module management, data manipulation, process enumeration, and self-deletion.

For instance, processing code 0x1 handles core operations like inserting, reading, writing, or deleting modules in payload and execute lists, with arguments for indices, offsets, hashes, and encryption.

Similar commands interact with the unknown list for resizing or extraction, suggesting auxiliary roles in modular extensibility.

Backdoor codes provide granular control, from retrieving metadata and renaming executables to recollecting system data or interfacing with named pipes for encrypted payload exchanges.

To counter this threat, organizations should enable tamper protection, network protection, and EDR in block mode within Microsoft Defender for Endpoint, alongside automated investigation and cloud-delivered protections.

Microsoft Defender Antivirus detects PipeMagic as Win32/64 variants, with alerts for malware detection, prevention, and ransomware-linked activities.

Vulnerability management tools highlight CVE-2025-29824 exposure, while Microsoft Security Copilot offers promptbooks for incident investigation, user analysis, and threat profiling.

Threat analytics reports detail exploitation patterns, emphasizing the need for resilient defenses to disrupt adversary TTPs and raise operational costs.

Indicators of compromise

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!