Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks exploiting a Windows zero-day.

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
969
4,663
2,168
Germany
Content source
https://hackread.com/fake-chatgpt-desktop-app-pipemagic-backdoor-microsoft/
Cybersecurity researchers at Microsoft discovered a new backdoor called PipeMagic while investigating attacks that abused a zero-day flaw in Windows CLFS (CVE-2025-29824). What makes this backdoor dangerous is how it poses as a legitimate open-source ChatGPT desktop application while delivering a framework for running ransomware operations.
PipeMagic relies on a modular design that loads different components as needed. These modules handle everything from command-and-control communication to payload execution, all while staying hidden through encrypted named pipes and in-memory operations. By separating its functions this way, the backdoor makes it far more difficult for defenders to detect or analyze.
Click to expand...
Read full Story here:
hackread.com

Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
hackread.com hackread.com
 
  • Like
  • Thanks
  • Wow
Reactions: piquiteco, Trident, Khushal and 6 others
Brownie2019 said:
Read full Story here:
hackread.com

Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
hackread.com hackread.com
Click to expand...

securelist.com

PipeMagic in 2025: How the backdoor operators’ tactics have changed

We examine the evolution of the PipeMagic backdoor and the TTPs of its operators – from the RansomExx incident in 2022 to attacks in Brazil and the Middle East, and the exploitation of CVE-2025-29824 in 2025.
securelist.com securelist.com
 
  • Like
Reactions: piquiteco and Trident
Cybersecurity researchers have lifted the lid on the threat actors' exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks.

The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE said in a joint report published today.

PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, capable of acting as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts.

In those attacks, the threat actors have been found to exploit CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Subsequent infection chains observed in October 2024 in Saudi Arabia were spotted leveraging a fake OpenAI ChatGPT app as bait to deliver the malware.

Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor it tracks as Storm-2460.
Click to expand...
malwaretips.com

Malware News - Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware

Cybersecurity researchers have lifted the lid on the threat actors' exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks. The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability...
malwaretips.com malwaretips.com
 
Last edited by a moderator:
  • Like
Reactions: Khushal, piquiteco, Trident and 2 others
Kaspersky said it also uncovered PipeMagic loader artifacts masquerading as a ChatGPT client in 2025 that are similar to those previously seen in October 2024. The samples have been observed leveraging DLL hijacking techniques to run a malicious DLL that mimics a Google Chrome update file ("googleupdate.dll").
 
  • Like
Reactions: Khushal, piquiteco and Parkinsond
You must log in or register to reply here.

You may also like...