Play Ransomware Affiliate Leveraged Zero-Day to Deploy Malware
The Play ransomware gang has once again proven itself to be a formidable threat in the world of cybercrime, leveraging a high-severity Windows Common Log File System flaw in zero-day attacks to deploy malware on compromised systems. This latest exploit takes advantage of CVE-2025-29824, a Use after free vulnerability in Windows Common Log File System Driver that allows an authorized attacker to elevate privileges locally.
The Vulnerability: A Game-Changer for Attackers
CVE-2025-29824 is tracked as a high-severity vulnerability with a CVSS score of 7.8, making it a prime target for attackers looking to gain SYSTEM privileges and deploy malware on compromised systems. Microsoft confirmed that the vulnerability has been exploited in attacks in the wild, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding it to its Known Exploited Vulnerabilities (KEV) catalog in April.
The Attack: A Zero-Day Exploit
Researchers at Symantec's Threat Hunter Team reported that the Play ransomware gang used a CVE-2025-29824 zero-day exploit in an attack against a U.S. organization prior to the disclosure and patching of the vulnerability on April 8, 2025. Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation.
The Tactic, Technique, and Procedure (TTPs): A Well-Planned Attack
The attackers exploited a public-facing Cisco ASA firewall as an initial infection vector. Once gained access to a Windows system, they deployed tools like Grixba and the CVE-2025-29824 exploit. The attackers used PowerShell to gather information from Active Directory, exploited a vulnerability in the CLFS driver to gain higher privileges, and ran malicious DLLs and scripts to steal credentials.
Obfuscation and Evasion Techniques
The attackers also created admin accounts, performed operations to cover their tracks, and used scheduled tasks to maintain persistence. The CVE-2025-29824 exploit was used by multiple threat actors before being patched. Microsoft linked it to PipeMagic malware and Storm-2460, while Symantec observed different, non-fileless use by Balloonfly.
The Significance: A Rare but Devastating Attack
While the use of zero-day vulnerabilities by ransomware actors is rare, it is not unprecedented. This latest exploit highlights the importance of staying vigilant and proactive in addressing security gaps in systems and applications. As researcher Symantec concludes, "while the use of zero-day vulnerabilities by ransomware actors is rare, it is not unprecedented."
Conclusion
The Play ransomware gang's use of a CVE-2025-29824 zero-day exploit to deploy malware demonstrates the evolving nature of cybercrime and the importance of staying informed about emerging threats. As cybersecurity continues to evolve, it is essential for organizations and individuals alike to remain vigilant and proactive in addressing security gaps and protecting themselves against the latest attacks.
Stay up-to-date with the latest security news and updates by following me on Twitter: @securityaffairs, Facebook, and Mastodon.