Play Ransomware Deployed in the Wild Exploiting Windows 0-Day Vulnerability
Patched Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS) driver was exploited in attacks linked to the Play ransomware operation prior to its disclosure on April 8, 2025.
The flaw, which enabled privilege escalation via a use-after-free condition in the clfs.sys kernel driver, was weaponized by Balloonfly, the cybercrime group behind Play ransomware, during an attempted intrusion at a U.S. organization.
Though ransomware deployment was thwarted, attackers leveraged the exploit to deploy the Grixba infostealer and establish persistence mechanisms, marking one of the rare instances of ransomware actors employing zero-day vulnerabilities.
The attackers exploited CVE-2025-29824 by orchestrating a race condition between two threads interacting with the CLFS driver.
The first thread invoked CloseHandle() to deallocate a critical kernel structure (CClfsLogCcb), while the second thread executed a DeviceIoControl() operation that referenced the now-freed memory.
This use-after-free scenario allowed arbitrary kernel memory modifications, enabling elevation to SYSTEM privileges.
Key artifacts from the exploit included the creation of PDUDrv.blf (a CLFS base log file) and clssrv.inf (a malicious DLL injected into winlogon.exe).
The DLL facilitated the deployment of two batch files: servtask.bat and cmdpostfix.bat.
The former executed commands to dump SAM, SYSTEM, and SECURITY registry hives, create a hidden administrative user (LocalSvc), and manipulate Windows services and scheduled tasks.
The latter script erased forensic traces by deleting exploit-related files and directories.
Notably, the attackers masqueraded tools as legitimate Palo Alto software (e.g., paloaltoconfig.exe) and leveraged PowerShell to extract Active Directory data via:
powershellImport-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties * | Export-CSV AllWindows.csv
This reconnaissance step aimed to map the network for lateral movement.
Multi-Actor Exploitation and Evolving Ransomware Tactics
Microsoft’s advisory revealed that CVE-2025-29824 had been exploited by multiple threat actors, including Storm-2460, which deployed the PipeMagic malware in memory via dllhost.exe.
Unlike Balloonfly’s file-based approach, Storm-2460’s exploitation was fileless, highlighting the vulnerability’s adaptability across attack methodologies.
The incident underscores a troubling trend of ransomware groups adopting zero-day exploits.
In 2024, Symantec linked the Black Basta ransomware to the exploitation of CVE-2024-26169, a Windows privilege escalation flaw patched months after evidence of in-the-wild abuse.
While Microsoft initially denied exploitation, forensic analysis revealed exploit compilation timestamps predating the patch.
Balloonfly’s infrastructure and toolset-including the Grixba infostealer-have been instrumental in attacks across North America, South America, and Europe since 2022.
Their latest campaign avoided ransomware deployment but demonstrated readiness to escalate privileges, exfiltrate credentials, and establish backdoors for future operations.
Mitigation Strategies and Industry Response
Microsoft released patches for CVE-2025-29824 on April 8, 2025, urging immediate deployment.
Organizations should prioritize updating Windows systems, auditing scheduled tasks for anomalies (e.g., MicrosoftWindowsWininetCacheTask), and monitoring for atypical processes like winlogon.exe loading unsigned DLLs.
Symantec recommends:
- Restricting permissions for the CLFS driver and disabling unnecessary services.
- Implementing network segmentation to limit lateral movement.
- Analyzing PowerShell logs for Get-ADComputer commands and unexpected CSV exports.
The exploitation of kernel-level vulnerabilities by ransomware groups signals a maturation of their offensive capabilities.
As zero-day exploits become commoditized in underground markets, proactive defense-in-depth strategies and rapid patch adoption are critical to mitigating emerging threats.
Indicators of Compromise (IoC):
| Hash | File Name | Description |
|---|---|---|
| 6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05 | gt_net.exe | Infostealer.Grixba |
| 858efe4f9037e5efebadaaa70aa8ad096f7244c4c4aeade72c51ddad23d05bfe | go.exe | CVE-2025-29824 exploit |
| 9c21adbcb2888daf14ef55c4fa1f41eaa6cbfbe20d85c3e1da61a96a53ba18f9 | clssrv.inf | Exploit DLL payload |
| 6d7374b4f977f689389c7155192b5db70ee44a7645625ecf8163c00da8828388 | cmdpostfix.bat | Batch file |
| b2cba01ae6707ce694073018d948f82340b9c41fb2b2bc49769f9a0be37071e1 | servtask.bat | Batch file |
| 293b455b5b7e1c2063a8781f3c169cf8ef2b1d06e6b7a086b7b44f37f55729bd | paloaltoconfig.dll | Unknown file |
| af260c172baffd0e8b2671fd0c84e607ac9b2c8beb57df43cf5df6e103cbb7ad | paloaltoconfig.exe | Unknown file |
| 430d1364d0d0a60facd9b73e674faddf63a8f77649cd10ba855df7e49189980b | 1day.exe | Unknown file |
| ba05d05d51d4f7bfceb3821a3754e7432248f5c3d5a450391a0631d56bbce4c2 | fappsettingslib.dll | Unknown file |
| b3ee068bf282575ac7eb715dd779254889e0b8a55aba2b7a1700fc8aa4dcb1da | w64stdlib.dll | Unknown file |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
Source link
