Kaspersky’s Global Research and Analysis Team (GReAT) in collaboration with BI.ZONE Vulnerability Research experts, observed new 2025 activity associated with the PipeMagic backdoor originally discovered in December 2022. The backdoor has expanded its attack geography: initially observed in Asia, and afterwards detected in Saudi Arabia in late 2024. Recent attacks show sustained interest in Saudi organizations, alongside expansion into new regions, notably manufacturing companies in Brazil.
The researchers tracked the malware’s evolution, identified key changes in the operators’ tactics, and conducted a technical analysis of Microsoft vulnerability CVE-2025-29824. This vulnerability was the only one among the 121 patched in April 2025 that was actively exploited in the wild. It was specifically targeted by an exploit integrated into the PipeMagic infection chain. The vulnerability allowed privilege escalation in the operating system due to a flaw in the clfs.sys logging driver.
One of the 2025 campaign attacks leveraged a Microsoft Help Index File, which serves two purposes: decrypting and executing shellcode. The shellcode is encrypted using the RC4 stream cipher with a hexadecimal key. Once decrypted, the code is executed via the WinAPI EnumDisplayMonitors function, allowing dynamic resolution of system API addresses through process injection.
Researchers also identified updated versions of the PipeMagic loader masquerading as a ChatGPT client. This application resembles the one used in the 2024 attacks on Saudi organizations — sharing the same Tokio and Tauri frameworks, the same libaes library version, and demonstrating similar file structures and behavior.
“The reemergence of PipeMagic confirms that this malware remains active and continues to evolve. The 2024 versions introduced enhancements that improve persistence within victims’ infrastructures and facilitate lateral movement within targeted networks,” comments Leonid Bezvershenko, senior security researcher at Kaspersky GReAT.
“In recent years, clfs.sys has become an increasingly popular target for cybercriminals, particularly financially motivated actors. They are leveraging zero-day vulnerabilities in this and other drivers to escalate privileges and conceal post-exploitation activities. To mitigate such threats, we recommend using EDR tools, which enable bot,” notes Pavel Blinnikov, Vulnerability Research Lead, BI.ZONE.
PipeMagic is a backdoor first discovered by Kaspersky in 2022 during an investigation into a malicious campaign involving RansomExx. Victims at the time included industrial companies in Southeast Asia. The attackers exploited the CVE-2017-0144 vulnerability to gain access to internal infrastructure. The backdoor supports two operational modes — functioning either as a full-featured remote access tool or as a network proxy, enabling execution of a wide range of commands. In October 2024, a new iteration of PipeMagic was observed in attacks against organizations in Saudi Arabia, using a fake ChatGPT agent application as a lure.
Read the full report on Securelist.com.
About BI.ZONE
BI.ZONE is an expert in digital risks management that helps organizations develop their businesses safely in cyberspace. We design innovative solutions that ensure the resilience of IT infrastructures of all sizes. Our business portfolio also includes a wide range of cybersecurity services: from incident investigation and threat monitoring to secure strategy building and outsourcing of specialized functions. Since 2016, BI.ZONE has implemented more than 1,200 projects in finance, telecommunications, energy, aviation, and many other industries, delivering effective protection to over 500 clients in 15 countries. Website: www.bi.zone/eng/
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
