Threat Actors Exploit Microsoft Help Index File to Deploy PipeMagic Malware

Cybersecurity researchers have uncovered a sophisticated campaign where threat actors leverage a Microsoft Help Index File (.mshi) to deploy the PipeMagic backdoor, marking a notable evolution in malware delivery methods.

This development ties into the exploitation of CVE-2025-29824, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, which Microsoft patched on April 8, 2025.

The vulnerability allowed attackers to escalate privileges from a standard user account, facilitating ransomware deployment by groups like Storm-2460.

Recent Exploitation Tactics

PipeMagic, first identified in December 2022 during RansomExx campaigns targeting industrial firms in Southeast Asia, has since adapted its tactics.

In 2024, it masqueraded as a fake ChatGPT application to infiltrate organizations in Saudi Arabia, using Rust-based loaders built with Tauri and Tokio frameworks to decrypt and execute encrypted payloads via shellcode.

By 2025, infections spread to Brazil and Saudi Arabia, with ...