Backdoor PipeMagic Resurfaces, Exploiting New Vulnerabilities

Red Dog Security

2 min read
Backdoor PipeMagic Resurfaces, Exploiting New Vulnerabilities

Experts from Kaspersky and BI.ZONE are warning about renewed activity linked to the PipeMagic backdoor. Kaspersky highlights the malware’s evolution and the shifting tactics of its operators, while BI.ZONE has published a technical analysis of the latest flaw exploited in attacks—CVE-2025-29824.

A Persistent Threat Since 2022

PipeMagic was first identified by Kaspersky in 2022, when it was used in attacks against companies in Asia. From the start, the malware demonstrated a wide range of capabilities:

  • Stealing confidential data.
  • Providing full remote access to infected devices.
  • Operating as a proxy server.
  • Deploying additional payloads to support lateral movement.

In 2023, PipeMagic appeared in attacks attributed to the Nokoyawa ransomware group, where it was paired with a Windows zero-day privilege escalation vulnerability in the Common Log File System driver (CVE-2023-28252).

By late 2024, the malware had shifted focus to Saudi organizations. Now, researchers report that its operators are not only maintaining interest in Saudi targets but also expanding operations to manufacturing companies in Brazil.

Exploiting CVE-2025-29824

The latest wave of attacks centers on CVE-2025-29824, a vulnerability in the Windows Common Log File System driver (clfs.sys). Microsoft patched the flaw in April 2025, but exploitation attempts have surged since.

The vulnerability enables attackers to escalate privileges to local administrator level, steal user credentials, and encrypt files on compromised systems. In at least one incident this year, threat actors also abused a Microsoft Help index file—a format that can be manipulated to both decrypt data and execute shellcode.

Expert Insights

“The new PipeMagic campaign confirms that attackers continue to actively use and refine this malware. The 2024 version includes modifications that help attackers maintain persistence within a victim’s infrastructure and simplify lateral movement across compromised networks,” said Leonid Bezvershenko, Senior Cybersecurity Expert at Kaspersky GReAT.
“In recent years, the clfs.sys driver has become a popular target for cybercriminals, especially those motivated by financial gain. Zero-day exploits are increasingly common—not only against clfs.sys but also other system drivers. The main goal is privilege escalation and hiding traces of intrusion,” added Pavel Blinnikov, Head of the Vulnerability Research Group at BI.ZONE.

Read more