PipeMagic: The backdoor that refuses to die

Overview

PipeMagic is not “just another backdoor.” First surfacing in late 2022 during RansomExx ransomware campaigns in Southeast Asia, it has evolved into one of the most persistent and modular backdoors in recent memory.

Its disguises have ranged from trojanized Rufus USB utilities to the more recent fake ChatGPT desktop clients, written in Rust. With encrypted named pipes for C2, in-memory loaders, and self-updating plugin modules, PipeMagic isn’t simply malware — it’s an adaptable attack platform.

By 2025, it remains alive and kicking, leveraging fresh vulnerabilities like CVE-2025-29824 while riding the ongoing AI hype wave.

Timeline (2022 - 2025)

2022

• First detected in Southeast Asia by Kaspersky during RansomExx campaigns.

• Delivered via trojanized Rufus USB utility.

• Leveraged CVE-2017-0144 (EternalBlue) for initial access.

2023

• Adopted by Strom-2460.

• Expanded into ransomware chains, pairing with CLFS privilege escalation exploits.

2024

• Resurgence in Saudi Arabia via fake ChatGPT desktop apps written in Rust.

• New loaders: malicious Microsoft Help files, DLL hijacking ( GoogleUpdate.dll).

2025

• Early-year campaigns in Brazil and Saudi Arabia using refined loaders.

• April 2025: Active exploitation of CVE-2025-29824 (CLFS LPE, CVSS 7.8) in the wild.

• Also linked to CVE-2025-24983 (Win32 kernel vulnerability).

APT Behind It

• Attributed to Strom-2460, a financially motivated APT tracked by Microsoft and corroborated by Kaspersky .

• Known for infrastructure exploitation, ransomware delivery (e.g., RansomExx), and reusing commodity malware for initial access before deploying PipeMagic.

Why PipeMagic Still Matters

Because it's modular and still active. Over time it added:

• PipeMagic uses fake loaders such as ChatGPT apps, Help files, and DLL hijacks..

• API obfuscation using FNV-1a hashing.

• Randomized pipe names for stealthy C2.

• Azure cloud infra for hosting C2 servers and plugin modules.

• Abuse of system tools (ProcDump renamed to dllhost.exe ) for credential dumping.

Damages & Risk Profile

• Targeted Industries: Industrial, IT, finance, retail, real estate, software.

• Regions: Southeast Asia, Middle East, South America, Europe, U.S.

Impact:

• Full remote access.

• Credential theft -> lateral movement -> domain compromise.

• Exfiltration and ransomware deployment.

• Destruction of backups, modification of boot configs, forensic countermeasures.

The risk in 2025 is not novelty but reliability. PipeMagic remains a stable, proven platform for intrusion campaigns, especially when paired with fresh zero-days.

Mitigation Strategy

• Patch Management: Prioritize April 2025 fixes for CVE-2025-29824.

• Threat hunting: Look for anomalous named pipes (\\.\pipe\1.<hex>).

• Tool abuse monitoring: Unexpected use of certutil, wbadmn, ProcDump.

• EDR / Memory forensics: Focus on in-memory payloads and plugin modules.

• Network segmentation: Restrict lateral movement opportunities.

• Incident response readlines: Detect LSASS dumps, Azure-hosted C2 traffic.

• User awareness: Download and use ChatGPT desktop app from official sources, fake installers with free access to pro models remains an effective lure.

References & Reports

• Kaspersky: Multi-year PipeMagic Tracking

• Microsoft: CLFS Exploitation & CVE-2025-29824

• Kaspersky + BI.ZONE: PipeMagic in Saudi Arabia & Brazil

• Broadcom: Fake ChatGPT Loader

• DarkReading: PipeMagic in Ransomware Chains

• SecurityAffairs: Evolution of PipeMagic

• The Record: Ransomware Gangs & PipeMagic