Cybersecurity experts from the BRAMA project warn about a dangerous malware called PipeMagic, which is being distributed through fake repositories on GitHub disguised as a ChatGPT desktop app, reports G.business citing Microsoft Threat Intelligence. The malicious program operates as a modular backdoor and infostealer, allowing attackers to steal system data, escalate privileges, execute arbitrary commands, and load additional malware modules.

PipeMagic is designed with a complex architecture. Its components are delivered via command-and-control (C2) servers, often hosted on Microsoft Azure. The malware transmits data through encrypted channels and stores modules in memory as doubly linked lists. This approach makes detection difficult and enables on-the-fly updates of modules used for communication, payload processing, and execution of malicious tasks.

Microsoft confirmed that the hacking group Storm-2460 exploits the critical Windows CLFS vulnerability — CVE-2025-29824 — to elevate privileges to SYSTEM level. With this capability, attackers can run malicious processes. Tools like ProcDump, disguised as dllhost.exe, are used to dump LSASS memory and steal credentials.

The Group Behind the Campaign

Storm-2460, previously associated with ransomware attacks, is now deploying PipeMagic in targeted operations. The group focuses on persistence within victim environments by using advanced backdoors. Recent incidents have been reported in Saudi Arabia, Brazil, and several European countries, highlighting the global scope of its campaigns.

Researchers at BI.ZONE and Kaspersky confirm that PipeMagic is rapidly evolving. In 2025, new modules appeared that enhance its ability to move laterally within networks and increase its resilience against detection. Its modular structure and use of legitimate cloud infrastructure make PipeMagic particularly difficult to identify and remove.

Microsoft urges users and organizations to apply all available patches, especially for CVE-2025-29824. Recommended protective measures include enabling tamper and network protection in Microsoft Defender for Endpoint, running EDR in block mode, and downloading applications only from official and verified sources.

Stay connected for news that works — timely, factual, and free from opinion — and insights that matter now: WhatsApp introduces voicemail function for missed calls