Ddos 
Symantec’s Threat Hunter Team has uncovered a sophisticated attack involving a zero-day privilege escalation vulnerability in Microsoft’s Common Log File System (CLFS) driver — CVE-2025-29824 — actively exploited by Balloonfly, the threat group behind Play ransomware (PlayCrypt). This activity preceded the official patch released on April 8, 2025.
“Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S,” Symantec warns.
Though no ransomware payload was ultimately deployed in this intrusion, the attackers executed a custom Grixba infostealer, a malware previously associated with the Balloonfly group. This suggests the attack may have been an early-stage reconnaissance or testing operation.
“The attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation,” Symantec explains.
The attackers used a multi-threaded exploit that abused a race condition in the CLFS.sys driver to modify kernel memory. The exploit initiated two concurrent threads:
- Thread 1: Called CloseHandle() to trigger cleanup and free memory used by a key structure (CClfsLogCcb)
- Thread 2: Used DeviceIoControl() to access the now-freed memory
“The CLFS driver uses the memory pointer from the FsContext2 field of the FILE_OBJECT structure, which still refers to the location of the already deallocated structure,” Symantec notes.
By interacting with \\.\LOG:\??\C:\ProgramData\SkyPDF\PDUDrv, the exploit created artifacts and injected a malicious DLL (clssrv.inf) into winlogon.exe.
The attackers executed a batch file (servtask.bat) that:
- Dumped SAM, SYSTEM, and SECURITY registry hives
- Created a new user LocalSvc, added to the Administrators group
- Scheduled a task to execute malware as SYSTEM
To erase traces, a second batch (cmdpostfix.bat) deleted exploit artifacts and cleaned up residual files.
Symantec’s analysis indicates that this zero-day may have been used by multiple threat actors. While Balloonfly’s attack left disk-based artifacts, Microsoft reported fileless exploitation by another group — Storm-2460, operators of PipeMagic malware.
“The nature of the exploitation by Storm-2460 appears different from the Balloonfly-linked activity discovered by Symantec,” the report notes.
Microsoft confirmed exploitation against organizations in the U.S., Venezuela, Spain, and Saudi Arabia, underscoring the wide reach of this vulnerability.
Though rare, ransomware groups have used zero-days in the past. Symantec previously reported on Black Basta exploiting CVE-2024-26169 before it was publicly patched.
Related Posts:
- Windows CLFS Zero-Day Exploited to Deploy Ransomware
- CLFS Flaw in Windows 11 Allows for Privilege Escalation, PoC Published
- Critical Vulnerabilities: CISA Alerts to Windows CLFS and Gladinet CentreStack Threats
- Researchers release the technical analysis & PoC for Windows 0-Day CVE-2022-37969 Flaw
- Symantec Exposes Widespread Mobile App Privacy Risks: Popular Apps Leak Sensitive Data