A sophisticated malware campaign has been identified, utilizing PipeMagic, a highly modular backdoor deployed by the financially motivated threat actor Storm-2460.
This advanced malware masquerades as a legitimate open-source ChatGPT Desktop Application while exploiting the zero-day vulnerability CVE-2025-29824 in Windows Common Log File System (CLFS) to deploy ransomware across multiple sectors globally.
Key Takeaways
1. PipeMagic masquerades as ChatGPT Desktop App while exploiting a Windows zero-day.
2. Features a modular design with encrypted named pipe communication and dynamic payload loading to evade detection.
3. Storm-2460 targets IT, financial, and real estate sectors worldwide.
The threat actor leverages a trojanized version of the popular ChatGPT Desktop Application available on GitHub, using it as a delivery mechanism for the PipeMagic backdoor.
This deceptive approach allows the malware to bypass initial user suspicion while establishing persistent access to compromised systems.
The observed targets span information technology, financial, and real estate sectors across the United States, Europe, South America, and the Middle East, demonstrating the campaign’s broad geographic scope and cross-industry impact.
PipeMagic Modular Backdoor
Microsoft reports that the PipeMagic employs a complex infection sequence beginning with a malicious MSBuild file downloaded via the certutil utility from compromised legitimate websites.
The initial stage features an in-memory dropper disguised as the legitimate ChatGPT application, which decrypts and launches the embedded PipeMagic payload directly into memory to evade detection.
The malware generates a unique 16-byte bot identifier for each infected host and establishes a named pipe using the format \.pipe1.
This bidirectional communication channel enables continuous module deployment while maintaining stealth.
The system utilizes RC4 encryption with a hardcoded 32-byte key and performs SHA-1 hash validation to ensure payload integrity during transmission.
PipeMagic’s technical sophistication lies in its use of four distinct doubly linked list structures: payload, execute, network, and unknown lists, each serving specific functions within the backdoor’s architecture.
The malware maintains persistent command-and-control (C2) communication through a dedicated networking module that handles TCP connections to the domain aaaaabbbbbbb.eastus.cloudapp.azure[.]com:443, which Microsoft has subsequently disabled.
The backdoor supports over 20 different operational commands, including system reconnaissance, module management, process enumeration, and payload execution.
Critical capabilities include backdoor code 0xF for self-deletion and 0x11 for module replacement, enabling dynamic operational adaptation.
The malware collects comprehensive system information, including OS version, domain membership, integrity levels, and network configuration, before transmitting data to C2 servers.
Mitigations
Microsoft recommends enabling tamper protection and network protection in Defender for Endpoint, alongside implementing EDR in block mode for post-breach artifact remediation.
Organizations should prioritize deploying patches for CVE-2025-29824 and utilize cloud-delivered protection to defend against rapidly evolving attack variants.
Microsoft Defender XDR provides specific detections for PipeMagic variants, including alerts for active malware processes and ransomware-linked threat group activities.
The campaign highlights the critical importance of maintaining updated security controls and monitoring for suspicious named pipe communications and unusual ChatGPT application behavior across enterprise environments.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
