Microsoft warns {that a} pretend ChatGPT desktop app was used to ship PipeMagic malware, linked to ransomware assaults exploiting a Home windows zero-day.
Cybersecurity researchers at Microsoft found a brand new backdoor known as PipeMagic whereas investigating assaults that abused a zero-day flaw in Home windows CLFS (CVE-2025-29824). What makes this backdoor harmful is the way it poses as a respectable open-source ChatGPT desktop utility whereas delivering a framework for operating ransomware operations.
PipeMagic depends on a modular design that hundreds completely different parts as wanted. These modules deal with the whole lot from command-and-control communication to payload execution, all whereas staying hidden via encrypted named pipes and in-memory operations. By separating its capabilities this fashion, the backdoor makes it far harder for defenders to detect or analyze.
It’s value noting that the ChatGPT Desktop undertaking on GitHub talked about by Microsoft (obtainable right here) will not be malicious. What occurred is that attackers used a trojanized copy of this app, because it’s open supply, modified with hidden code, to ship the PipeMagic backdoor. The respectable model stays protected, however downloading from unofficial or compromised websites carries the danger of an infection.
“The primary stage of the PipeMagic an infection execution begins with a malicious in-memory dropper disguised because the open-source ChatGPT Desktop Utility undertaking. The risk actor makes use of a modified model of the GitHub undertaking that features malicious code to decrypt and launch an embedded payload in reminiscence.”
Microsoft
PipeMagic Attributed to Storm-2460
Microsoft attributes PipeMagic to a financially motivated group often known as Storm-2460. In current campaigns, the group used it alongside CVE-2025-29824, a privilege escalation vulnerability, to maneuver from preliminary entry to ransomware deployment.
The assaults haven’t been restricted to 1 business or geography, with victims recognized focusing on monetary and actual property organizations in america, Europe, South America, and the Center East.
Researchers inspecting PipeMagic discovered that it manages payloads via a set of linked lists that act like inside queues. Some lists maintain modules ready to be executed, others handle community communication, whereas one record stays unexplained however seems for use dynamically by loaded payloads. This construction permits Storm-2460 to replace or substitute parts on the fly, giving them flexibility with out having to redeploy your entire backdoor.
In accordance with Microsoft’s lengthy technical weblog put up, the communication layer of PipeMagic is equally subtle. As a substitute of connecting on to its command server, the backdoor hundreds a devoted networking module that establishes a WebSocket-style reference to its operators.
This design retains community visitors remoted from the remainder of the backdoor, limiting detection alternatives. As soon as a safe channel is energetic, PipeMagic sends detailed system info, together with bot ID, area particulars, course of integrity, and person context, earlier than receiving directions on what modules to run or which knowledge to exfiltrate.
Storm-2460 can even insert new modules, replace current ones, collect hashes, enumerate processes, and even rename the backdoor executable for self-deletion. Due to this fact, Microsoft has launched detections throughout Microsoft Defender merchandise and is urging organizations to assessment their safety.
PipeMagic reveals simply how far backdoors have advanced. By utilizing a zero-day exploit with a modular backdoor, Storm-2460 constructed a device that simply bypasses detection. The complete Microsoft evaluation goes deep into its inside buildings and likewise provides mitigation steerage.
