Cybersecurity researchers have uncovered a sophisticated malware campaign exploiting Microsoft Help Index Files (.mshi) to deliver the notorious PipeMagic backdoor, marking a significant evolution in the threat actors’ tactics since the malware’s first detection in 2022.
The campaign, which has targeted organizations across Saudi Arabia and Brazil throughout 2025, demonstrates the attackers’ continued refinement of their infection methods and persistence mechanisms.
PipeMagic initially emerged in December 2022 during a RansomExx ransomware campaign targeting industrial companies in Southeast Asia.
The malware gained prominence when it was later discovered exploiting CVE-2025-29824, a vulnerability that Microsoft identified as being actively exploited in the wild during their April 2025 patch cycle.
The backdoor’s operators have demonstrated remarkable adaptability, transitioning from exploiting the CVE-2017-0144 vulnerability in their early campaigns to employing more sophisticated social engineering techniques in recent attacks.
.webp "Threat Actors Abuse Microsoft Help Index File to Execute PipeMagic Malware 3")
The latest iteration of PipeMagic has expanded its geographical reach, with Securelist researchers identifying infections in multiple regions.
The malware maintains its core functionality as a versatile backdoor capable of operating in two distinct modes: as a comprehensive remote access tool and as a network gateway for lateral movement within compromised infrastructure.
What distinguishes the 2025 campaign is the attackers’ innovative use of Microsoft Help Index Files as an initial infection vector.
These files, typically containing metadata for Microsoft help documentation, have been weaponized to carry obfuscated C# code alongside encrypted payloads.
The malicious .mshi files leverage the legitimate MSBuild framework for execution, effectively bypassing traditional security controls that might flag more conventional executable formats.
Advanced Infection Mechanism Through MSBuild Exploitation
The infection chain begins when victims execute the malicious metafile.mshi, which contains heavily obfuscated C# code paired with an extensive hexadecimal string.
.webp "Threat Actors Abuse Microsoft Help Index File to Execute PipeMagic Malware 4")
The execution occurs through a carefully crafted command line sequence:-
c:windowssystem32cmd.exe "/k c:windowsmicrosoft.netframeworkv4.0.30319msbuild.exe c:wThe embedded C# code performs dual functions within the infection process. First, it decrypts the accompanying shellcode using the RC4 stream cipher with a hardcoded 64-character hexadecimal key (4829468622e6b82ff056e3c945dd99c94a1f0264d980774828aadda326b775e5).
Following successful decryption, the code executes the shellcode through the Windows API function EnumDeviceMonitor, utilizing a technique that inserts the shellcode pointer into the function’s third parameter while setting the first two parameters to zero.
The decrypted shellcode contains executable code specifically designed for 32-bit Windows systems. It employs sophisticated evasion techniques, including export table parsing and FNV-1a hashing algorithms to dynamically resolve system API addresses, making static analysis considerably more challenging.
The shellcode ultimately loads an unencrypted executable embedded within its own structure, establishing the PipeMagic backdoor’s presence on the compromised system and enabling communication through its characteristic named pipe infrastructure at 127.0.0.1:8082.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
