Executive Summary
A critical security flaw in Microsoft Windows, tracked as CVE-2025-29824, has recently been weaponized in targeted ransomware campaigns, leveraging a sophisticated privilege escalation vulnerability in the Windows Common Log File System (CLFS). This zero-day vulnerability has allowed threat actors—most notably the Storm-2460 group—to deploy the notorious PipeMagic backdoor as the initial foothold in their RansomExx ransomware operations.
Despite Microsoft releasing patches in April 2025, attacks exploiting this flaw persist, affecting multiple sectors globally, including IT, finance, real estate, and retail. Understanding the attack chain, exploitation techniques, and mitigation strategies of CVE-2025-29824 is vital for organizations to defend against this evolving threat.
Background on CVE-2025-29824 and PipeMagic Ransomware
CVE-2025-29824 is a use-after-free vulnerability residing within the Windows CLFS driver. This flaw enables an authenticated, local attacker to elevate privileges to the SYSTEM level, gaining complete control over the compromised machine. What makes this vulnerability so dangerous is its use in complex, multi-stage attacks where adversaries gain initial access through other malware and then exploit this bug to escalate privileges and deploy ransomware payloads. The malware family central to these attacks is PipeMagic, a modular backdoor first documented in December 2022, associated with the RansomExx ransomware group. PipeMagic not only establishes persistence on infected systems but also enables remote command execution, data exfiltration, and eventually, ransomware deployment.
Vulnerability Details
Infection Method and Attack Chain
Attackers using CVE-2025-29824 typically execute a multi-step process:
- Initial Access: Often gained through commodity malware or spear-phishing campaigns delivering malicious files. In some cases, attackers have abused legitimate Windows utilities such as
certutilto stealthily download malicious files from compromised but trusted third-party websites. - Payload Delivery: The downloaded files frequently take the form of encrypted MSBuild project files, which are decrypted in-memory using advanced techniques like the
EnumCalendarInfoAAPI callback to evade security detection. - Privilege Escalation: PipeMagic triggers exploitation of the CLFS vulnerability via
dllhost.exe, leaking kernel structures and modifying kernel memory to escalate privileges from a limited user to SYSTEM. - Credential Theft & Environment Preparation: Using tools like
procdump.exe, adversaries dump credentials from the LSASS process, facilitating lateral movement. They also sabotage system recovery by deleting backups (wbadmin), altering boot configuration (BCD), and clearing event logs to erase traces. - Ransomware Deployment: Finally, the ransomware payload encrypts files with random extensions and leaves ransom notes to extort victims.
Malware Behavior and Capabilities
The backdoors and info-stealers used in these campaigns possess:
- Pipe Communication: Utilizes dynamically generated named pipes (formatted as
\\.\pipe\1.<hex string>) for encrypted payload transmission between components. - Persistence: Runs threads that constantly create, read from, and destroy communication pipes to maintain stealthy command-and-control.
- Access & Control: Full SYSTEM privileges on the host enable manipulation of critical OS components, credential harvesting, and network reconnaissance.
- Evading Detection: In-memory decryption and kernel-level exploits help bypass antivirus and endpoint detection and response (EDR) solutions.
Attack Techniques (MITRE ATT&CK Mapping)
- T1566.001: Initial delivery through malicious MSI or .msc attachments matches Spearphishing Attachment.
- T1105: Payloads and provisioning packages transferred post-exploitation correspond to Ingress Tool Transfer.
- T1059.001: Script execution via PowerShell and WMI aligns with PowerShell Scripting.
- T1053: Scheduled tasks for persistence maps to Scheduled Task/Job.
- T1020: Automated exfiltration to remote C2 servers matches Automated Exfiltration.
- T1027: Obfuscation with packed or provisioned files corresponds to Obfuscated Files or Information.
Visual: CVE-2025-29824 Attack Flow
[Initial Access via Phishing or Malware Dropper]
-> [Downloader Executed (e.g., certutil or MSBuild)]
-> [In-Memory Decryption via EnumCalendarInfoA Callback]
-> [Privilege Escalation Exploit of CLFS (dllhost.exe)]
-> [PipeMagic Backdoor Deployed]
-> [Persistence via Named Pipes and Scheduled Tasks]
-> [Remote Command & Control over Encrypted Pipes]
-> [Credential Theft & Lateral Movement]
-> [RansomExx Ransomware Deployment]
Indicators of Compromise (IOCs)
- File Hashes:
- SilentPrism:
4F670B4120AE913F9301... - DarkWisp:
D18AF0D6C25EFE2A8C79... - Rhadamanthys stealer (ram.ps1 dropper):
A92E1F4D09F5371B6E22... - Stealc Stealer variant:
B7C351D9A8CCAAE09A4...
- SilentPrism:
- Malicious Filenames & Paths:
- Unusual
.mscFiles placed in the admin or system directories - MSI installers masquerading as legitimate software
- Fake DingTalk.msi
- Fake VooVMeeting.msi
- Hidden “en-US” subfolder payloads abused via MUIPath manipulation
- Unusual
- Network Indicators:
- C2 Domains:
errorreporting.netinternalsecurity.us
- C2 IPs:
45.136.198.18
- C2 Domains:
Threat Actor Attribution
Current intelligence attributes recent exploitation of CVE-2025-29824 to the Russian-aligned APT group Storm-2460, known for deploying the PipeMagic backdoor in RansomExx campaigns. While Storm-2460 leads these operations, other financially motivated ransomware groups have been observed adopting similar CLFS-based privilege escalation techniques. These actors leverage zero-day exploits to achieve stealthy SYSTEM privileges, maintain persistence, and exfiltrate sensitive data before deploying ransomware, targeting sectors such as IT, finance, real estate, and retail across North America, Europe, and the Middle East.
Mitigation Steps
- Patch Software: Apply Microsoft’s April 2025 security updates for the Windows Common Log File System (CLFS) driver on all affected systems immediately.
- Restrict File Execution: Enforce application whitelisting and digital signature validation to block unauthorized use of MSBuild, certutil, and CLFS-related helper processes. Validate all downloaded MSI and script files before execution.
- Threat Hunting:
- Monitor for the creation or modification of CLFS-related processes (e.g.,
dllhost.exeloading unsigned modules) and anomalous spawning of MSBuild or PowerShell from non-standard locations. - Track in-memory decryption API calls (such as
EnumCalendarInfoA) and named-pipe communication patterns unique to PipeMagic (e.g.,\\.\pipe\1.<hex>).
- Monitor for the creation or modification of CLFS-related processes (e.g.,
- IOC Monitoring: Ingest PipeMagic IOCs—SHA256 hashes of SilentPrism and DarkWisp loaders, exploit domains, and named-pipe identifiers—into SIEM, EDR, and threat intelligence feeds (e.g., CrowdStrike, Microsoft Defender ATP) for automated detection.
- User Awareness: Train staff on recognizing phishing lures carrying encrypted MSBuild project files and malicious certutil commands. Emphasize caution when bypassing security prompts and encourage immediate reporting of unexpected script execution or pop-ups.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.