This post is also available in:
עברית (Hebrew)
Security researchers have identified a new form of malware that uses a seemingly legitimate desktop application based on ChatGPT to install a modular backdoor, allowing attackers to maintain long-term access to compromised systems. Dubbed PipeMagic, the malware operates under the radar by leveraging a component-based architecture that makes detection and analysis more complex.
According to Microsoft, PipeMagic was discovered during an investigation into a broader attack campaign that exploited CVE-2025-29824—an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Although Microsoft issued a fix for this vulnerability in April 2025, many systems remain unpatched, leaving them open to attack.
The backdoor is part of a wider attack chain used by a group known as Storm-2460. This group has deployed ransomware across several industries, including IT, finance, and real estate, in regions spanning the United States, Europe, South America, and the Middle East.
What sets PipeMagic apart is its modular approach. Instead of using a single piece of malware to handle all functions, it splits its capabilities into smaller components. A separate networking module handles communication with the command-and-control (C2) server, allowing attackers to send and execute payloads dynamically. This structure provides greater flexibility and helps evade detection by traditional security tools.
Microsoft emphasizes that while the number of impacted organizations remains relatively small, the combination of a zero-day exploit and modular ransomware delivery is a concerning development. The ability to adapt and scale such threats increases the potential impact if defenses are not promptly updated.
To mitigate risk, Microsoft recommends that organizations immediately apply the April 2025 security patch for CVE-2025-29824. In addition, enabling tamper protection and network protection features in Microsoft Defender for Endpoint can help detect and block PipeMagic’s activity.
This incident highlights the growing trend of attackers blending legitimate tools with advanced malware techniques—raising the bar for detection and response in enterprise environments.
