Microsoft warns {that a} faux ChatGPT desktop app was used to ship PipeMagic malware, linked to ransomware assaults exploiting a Home windows zero-day.
Cybersecurity researchers at Microsoft found a brand new backdoor referred to as PipeMagic whereas investigating assaults that abused a zero-day flaw in Home windows CLFS (CVE-2025-29824). What makes this backdoor harmful is the way it poses as a authentic open-source ChatGPT desktop utility whereas delivering a framework for working ransomware operations.
PipeMagic depends on a modular design that masses totally different parts as wanted. These modules deal with every part from command-and-control communication to payload execution, all whereas staying hidden by way of encrypted named pipes and in-memory operations. By separating its capabilities this manner, the backdoor makes it far harder for defenders to detect or analyze.
It’s value noting that the ChatGPT Desktop challenge on GitHub talked about by Microsoft (accessible right here) will not be malicious. What occurred is that attackers used a trojanized copy of this app, because it’s open supply, modified with hidden code, to ship the PipeMagic backdoor. The authentic model stays secure, however downloading from unofficial or compromised websites carries the chance of an infection.
“The primary stage of the PipeMagic an infection execution begins with a malicious in-memory dropper disguised because the open-source ChatGPT Desktop Utility challenge. The risk actor makes use of a modified model of the GitHub challenge that features malicious code to decrypt and launch an embedded payload in reminiscence.”
Microsoft
PipeMagic Attributed to Storm-2460
Microsoft attributes PipeMagic to a financially motivated group referred to as Storm-2460. In latest campaigns, the group used it alongside CVE-2025-29824, a privilege escalation vulnerability, to maneuver from preliminary entry to ransomware deployment.
The assaults haven’t been restricted to at least one business or geography, with victims recognized concentrating on monetary and actual property organizations in the USA, Europe, South America, and the Center East.
Researchers analyzing PipeMagic discovered that it manages payloads by way of a set of linked lists that act like inner queues. Some lists maintain modules ready to be executed, others handle community communication, whereas one listing stays unexplained however seems for use dynamically by loaded payloads. This construction permits Storm-2460 to replace or substitute parts on the fly, giving them flexibility with out having to redeploy your entire backdoor.
In line with Microsoft’s lengthy technical weblog publish, the communication layer of PipeMagic is equally refined. As an alternative of connecting on to its command server, the backdoor masses a devoted networking module that establishes a WebSocket-style reference to its operators.
This design retains community site visitors remoted from the remainder of the backdoor, limiting detection alternatives. As soon as a safe channel is energetic, PipeMagic sends detailed system data, together with bot ID, area particulars, course of integrity, and consumer context, earlier than receiving directions on what modules to run or which information to exfiltrate.
Storm-2460 can even insert new modules, replace current ones, collect hashes, enumerate processes, and even rename the backdoor executable for self-deletion. Subsequently, Microsoft has launched detections throughout Microsoft Defender merchandise and is urging organizations to evaluate their safety.
PipeMagic reveals simply how far backdoors have advanced. Through the use of a zero-day exploit with a modular backdoor, Storm-2460 constructed a device that simply bypasses detection. The complete Microsoft evaluation goes deep into its inner buildings and likewise affords mitigation steering.
