Experts from Kaspersky Lab and BI.ZONE have warned about the activity of the PipeMagic backdoor. Kaspersky Lab notes the malware’s evolution and key changes in the operators’ tactics, while BI.ZONE conducted a technical analysis of the CVE-2025-29824 vulnerability that the attackers used in their campaigns.
PipeMagic was first discovered by Kaspersky experts back in 2022 and was then used against Asian companies. The malware can collect sensitive data, provide attackers with full remote access to infected devices, act as a proxy server, and deploy additional payloads for lateral movement within victims’ networks.
In 2023, researchers reported that PipeMagic was observed being used in Nokoyawa ransomware attacks, when the attackers exploited a Windows zero-day vulnerability related to privilege escalation in the Common Log File System driver (CVE-2023-28252).
At the end of 2024, PipeMagic attacked organizations in Saudi Arabia, and researchers have now observed new activity from the malware.
Researchers note that the attackers continue to show interest in Saudi organizations, but have also expanded their attacks to new regions, particularly targeting manufacturing companies in Brazil.
The previously mentioned CVE-2025-29824 vulnerability was patched by Microsoft in April 2025, and it was this vulnerability that attackers actively used in their attacks.
CVE-2025-29824, associated with a flaw in the clfs.sys logging driver, was used to elevate privileges in Windows to the level of a local administrator and subsequently steal user credentials and encrypt files on the compromised system.
It is also noted that during one of the 2025 attacks, the attackers used a Microsoft Help index file, which can be used both for decryption and for executing shellcode.
“The new campaign leveraging PipeMagic confirms that attackers continue to actively use and refine this malware. The 2024 version includes changes that allow attackers to establish persistence in the victim’s infrastructure and also simplify lateral movement across compromised networks,” comments Leonid Bezvershenko, Senior Cybersecurity Expert at Kaspersky GReAT.
“Over the past few years, the clfs.sys driver has become a popular target for cybercriminals, especially those seeking financial gain. Zero-day exploits are increasingly in use—not only for clfs.sys but also for other drivers. The main goal is to escalate privileges and hide traces of the intrusion,” adds Pavel Blinnikov, Head of the Vulnerability Research Group at BI.ZONE.