Analyzing the Evolution of PipeMagic Malware

Analyzing the Evolution of PipeMagic Malware

The PipeMagic malware has been a significant threat to organizations worldwide, particularly in the information technology and real estate sectors. In this article, we will delve into the evolution of PipeMagic malware from its first detection in 2022 to new infections observed in 2025.

In May 2025, hackers exploited the Windows Common Log File System flaw CVE-2025-29824 (CVSS score of 7.8) to deploy PipeMagic malware in RansomExx attacks. This vulnerability allows an authorized attacker to elevate privileges locally, making it a highly sought-after exploit for attackers.

The vulnerability was first identified by Microsoft in April 2025 and has since been added to the Known Exploited Vulnerabilities (KEV) catalog. The IT giant confirmed that the flaw has been exploited in a limited number of attacks against entities worldwide, including organizations in the information technology and real estate sectors of the United States, and the retail sector in Saudi Arabia.

PipeMagic, first seen in 2022 RansomExx attacks, is a backdoor enabling remote access and command execution. It was spread via CVE-2017-0144 in Windows SMB and later through a fake ChatGPT app in Saudi Arabia in 2024. In April 2025, Microsoft linked its use of CVE-2025-29824 to Storm-2460, showing the malware’s evolving role in targeted campaigns against critical sectors.

In October 2024, PipeMagic attacks in Saudi Arabia spread via a fake Rust-based ChatGPT app showing only a blank screen. Hidden inside, AES-encrypted code unpacked shellcode that deployed the backdoor, using API hashing (FNV-1a) to evade analysis. PipeMagic created random named pipes (\.\pipe\1.) for encrypted payload transfer, linked locally to 127.0.0.1:8082.

The malware fetched modules from a C2 domain hosted on Microsoft Azure. In early 2025, new PipeMagic infections were spotted in Saudi Arabia and Brazil, traced to a domain hosted on Microsoft Azure. The malware used several loaders: a malicious Microsoft Help Index file with obfuscated C# code that decrypted and executed RC4-encrypted shellcode.

Attackers used a fake ChatGPT client built with Tauri and Tokio, reusing techniques from 2024 attacks; and DLL hijacking via a trojanized Google update DLL. In all cases, the loaders decrypted payloads (often with AES) and injected them into memory to deploy PipeMagic’s backdoor.

In January 2025, researchers detected new infections in Saudi Arabia and Brazil. Further investigation revealed connections to the domain hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which suggested a link between this attack and PipeMagic. Later, they also found the backdoor itself.

Investigating the 2025 PipeMagic campaign, researchers found three extra modules expanding its capabilities. The asynchronous communication module handled file I/O through commands like open, read, write, and close, though its model wasn’t fully asynchronous. The loader module injected payloads, communicating via named pipes and executing embedded 64-bit executables with a DllRegisterService interface.

The injector module launched .NET payloads, bypassed AMSI by patching its scan functions, and ensured compatibility with multiple .NET runtimes. During the investigation of the 2025 attacks, researchers discovered additional plugins used in this malicious campaign. In total, they obtained three modules, each implementing different functionality not present in the main backdoor.

All the modules are executable files for 32-bit Windows systems. Once a target machine is compromised, attackers use ProcDump disguised as dllhost.exe to dump LSASS memory, storing it in the victim’s AppData. Attackers extract credentials from this dump, then move laterally across the network. This exact LSASS-dumping method was also highlighted by Microsoft in relation to CVE-2025-29824.

"The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active and that the attackers continue to develop its functionality," concludes the report. "The versions detected in 2025 show improvements over the 2024 version, aimed at persisting in victim systems and moving laterally within internal networks."

The report also includes indicators of compromise (IoCs) for this threat.