Cybersecurity researchers have uncovered ongoing use of the PipeMagic backdoor in RansomExx ransomware campaigns, exploiting a Windows privilege-escalation flaw that Microsoft patched in April 2025. The revelation comes from a joint report by Kaspersky SecureList and BI.ZONE, which identifies CVE-2025-29824 as the entry point for attackers targeting Windows systems. Microsoft’s official advisory on the flaw is available at CVE-2025-29824.
PipeMagic is described as a modular backdoor capable of remote access, command execution, and dynamic loading of payloads. A distinctive feature, researchers note, is its use of a random 16-byte array to create a named pipe, a mechanism the malware repeatedly creates to exchange data with its command-and-control (C2) infrastructure. The technique relies on inter-process communication via named pipes to transmit encrypted payloads and notifications while remaining stealthy. The campaign infrastructure is staged from a domain hosted on Microsoft Azure, with a loader that unpacks C# code to decrypt and execute embedded shellcode, according to the report and related Microsoft analysis.
In those infections, the attackers leveraged CVE-2017-0144, a long-standing Windows SMB remote code execution flaw, to infiltrate victim networks. The researchers also highlighted October 2024 activity in Saudi Arabia that used a fake OpenAI ChatGPT app as bait, with Microsoft later attributing the exploitation of CVE-2025-29824 and PipeMagic to a threat group tracked as Storm-2460. The evolving capabilities in 2025 include persistence mechanisms and lateral movement features, as described in the report and Microsoft’s architecturally focused write-up on PipeMagic’s modular design at Microsoft Threat Intelligence.
The PipeMagic backdoor comprises multiple modules, including an asynchronous communication module with five commands to manage plugins and file operations, a loader to inject additional payloads, and an injector to launch a C# executable. Researchers emphasize that the malware’s architecture offloads network and backdoor tasks to discrete modules, enabling a flexible and stealthy control flow that complicates detection and analysis. The 2025 variants reportedly show improvements over 2024, with enhanced persistence and lateral movement capabilities, including memory extraction techniques such as using a renamed ProcDump utility to target LSASS.
Cybersecurity teams also noted that PipeMagic loader artifacts appeared as ChatGPT clients in 2025 and that some samples employ DLL hijacking to run a spoofed googleupdate.dll file, illustrating the actors’ evolving masquerade techniques. In this light, analysts warn that the threat actor behind PipeMagic continues to develop its tooling for broader deployment across sectors, including information technology, finance, and real estate, across the United States, Europe, South America, and the Middle East, with Saudi Arabia and Brazil among the 2025 targets.