PipeMagic Returns: Kaspersky Uncovers Evolving Backdoor Linked to CVE-2025-29824 Exploits
Do Son 
Kaspersky Labs has released a new report shedding light on the persistent threat posed by PipeMagic, a sophisticated backdoor that has resurfaced in recent attacks against organizations in Saudi Arabia and Brazil. Originally identified in 2022, PipeMagic has demonstrated resilience and adaptability, now tied to the exploitation of a recently patched Microsoft zero-day, CVE-2025-29824.
According to Kaspersky, “The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign.”
PipeMagic first appeared in December 2022 during an industrial espionage campaign in Southeast Asia, where attackers exploited the infamous CVE-2017-0144 (used by WannaCry) and deployed a trojanized version of Rufus as the loader. The malware functioned as both a remote access backdoor and a network gateway, supporting a wide range of commands for espionage and sabotage.
In October 2024, attackers innovated by using a fake ChatGPT application built with Rust and the Tauri framework to deliver PipeMagic. As Kaspersky describes, “The fake app was written in Rust… when launched, it simply displayed a blank screen.” Behind that blank interface, the malware decrypted and executed hidden shellcode, bypassing detection with clever use of FNV-1a hashing and dynamic API resolution.
Fast forward to 2025, Kaspersky reports fresh activity linked to PipeMagic. New loader samples appeared disguised as Microsoft Help Index files (metafile.mshi) and as DLL hijacking payloads. These techniques reflect an escalation in stealth and persistence tactics.
Attackers hosted their command-and-control infrastructure on Microsoft Azure, using domains such as
This not only provided resilience but also helped blend malicious traffic with legitimate cloud services.
Kaspersky explains that the updated backdoor retained its signature named pipe communication mechanism (e.g., \\.\pipe\magic3301), while still leveraging a localhost listener at 127.0.0.1:8082. This design ensures robust and covert communication channels within compromised environments.
Kaspersky researchers uncovered three new PipeMagic plugins during the 2025 attacks:
- Asynchronous Communication Module – Implements I/O queue and completion ports for managing file operations.
- Loader Module – Injects additional payloads into memory, including 64-bit executables with DLL-based command interfaces.
- Injector Module – Executes .NET payloads while evading Microsoft’s AMSI (Antimalware Scan Interface) by patching AMSI functions (AmsiScanString and AmsiScanBuffer) to always return safe results.
These enhancements provide attackers with flexible options for file manipulation, payload delivery, and credential theft.
One of the most alarming tactics observed was the attackers’ abuse of ProcDump, renamed to dllhost.exe, to dump LSASS memory. This technique enabled them to harvest credentials and pivot across victim networks. As the report notes, “In the 2025 attacks, the attackers used the ProcDump tool renamed to dllhost.exe to extract memory from the LSASS process – similar to the method described by Microsoft in the context of exploiting vulnerability CVE-2025-29824.”
The PipeMagic campaigns demonstrate the persistence of advanced threat actors and their ability to reuse, adapt, and refine malware over multiple years. By combining zero-day exploitation, cloud-hosted infrastructure, fake applications, and AMSI bypasses, attackers have made PipeMagic a formidable tool for both ransomware operations and espionage.
Kaspersky warns: “The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active and that the attackers continue to develop its functionality.”
Related Posts:
- PipeMagic Trojan Exploits Fake ChatGPT App to Target Saudi Arabian Organizations
- Windows CLFS Zero-Day Exploited to Deploy Ransomware
- Windows Zero-Day Actively Exploited by Ransomware Gangs – PoC Available!
- DragonForce Ransomware Group Targets Saudi Arabia with Large-Scale Data Breach
- An oil factory in Saudi Arabia was damaged by malicious software
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
