Do Son 
Microsoft Threat Intelligence has uncovered PipeMagic, a sophisticated modular backdoor used by the financially motivated threat actor Storm-2460. The malware masquerades as a legitimate open-source ChatGPT Desktop Application, but beneath its façade lies a stealthy, highly extensible malware framework designed for persistence and granular control.
PipeMagic was observed in real-world attacks tied to CVE-2025-29824, a Windows Common Log File System (CLFS) privilege escalation flaw. According to Microsoft:
“Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824… Storm-2460 leveraged the backdoor in targeted attacks to exploit this zero-day vulnerability and deploy ransomware.”
The targets spanned IT, finance, and real estate sectors across the US, Europe, South America, and the Middle East. While the campaign’s scope was limited, the pairing of a zero-day exploit with such a powerful backdoor makes it particularly alarming.
The initial dropper is a modified version of the ChatGPT Desktop App project hosted on GitHub. Microsoft explains:
“The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version… that includes malicious code to decrypt and launch an embedded payload in memory.”
This payload then activates the PipeMagic framework, establishing persistence and preparing for privilege escalation through the CLFS exploit.
PipeMagic’s architecture is both modular and stealthy. It relies on doubly linked list structures to manage payloads, execution flow, and networking modules. Microsoft identified four distinct linked lists:
- Payload linked list: Raw modules awaiting deployment.
- Execute linked list: Loaded and ready-to-run modules.
- Network linked list: Modules dedicated to C2 communication.
- Unknown linked list: Likely a staging area for dynamically loaded modules.
By offloading different tasks into specialized modules, PipeMagic complicates detection and analysis, while allowing attackers to continuously push new functionality over time.
The malware uses named pipes to deliver payload modules into memory. Each module is decrypted with RC4 and verified via SHA-1 hash checks before insertion into the payload linked list. Communication with the command-and-control (C2) infrastructure is delegated to a network module, which handles encrypted TCP/WebSocket communication.
As Microsoft notes:
“PipeMagic maintains robust command-and-control (C2) communication via a dedicated networking module… By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture.”
Once active, PipeMagic provides adversaries with near-complete control of the compromised system. Supported backdoor operations include:
- Adding, deleting, or modifying payload modules.
- Executing payloads in memory.
- Gathering system and domain information.
- Enumerating running processes.
- Recollecting system data for reconnaissance.
One backdoor code even renames the executable to “:fuckit” before marking it for self-deletion.
Its disguise as a popular AI application increases its likelihood of luring victims, while its reliance on dynamic payload loading and encrypted pipes complicates detection.
Microsoft emphasizes the importance of exposing such threats:
“By exposing the inner workings of this malware, we also aim to disrupt adversary tooling and increase the operational cost for the threat actor, making it more difficult and expensive for them to sustain their campaigns.”
Related Posts:
- PipeMagic Returns: Kaspersky Uncovers Evolving Backdoor Linked to CVE-2025-29824 Exploits
- AI’s Dark Side: Hackers Harnessing ChatGPT and LLMs for Malicious Attacks
- ChatGPT Search Gets Major Upgrade: Smarter Responses, Better Context & Image Search
- PipeMagic Trojan Exploits Fake ChatGPT App to Target Saudi Arabian Organizations
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
