In the world of cybersecurity, attacks evolve as fast as defenses. A clear example is PipeMagic, a Trojan that remains active and has proven to be a key tool in ransomware campaigns like RansomExx. This malware leverages zero-day vulnerabilities in Windows—critical bugs that had not even been discovered yet—to infiltrate corporate systems and unleash devastating attacks.
How the Attack Works
PipeMagic relies on Windows privilege escalation flaws, such as CVE-2025-29824 and CVE-2025-24983, which Microsoft has already patched but which attackers exploited before fixes were available. These vulnerabilities affect internal components like the Common Log File System (CLFS) and the Win32 kernel subsystem, granting attackers advanced system access.
Once inside, the malware disguises itself as seemingly legitimate files, such as a fake ChatGPT client or even an update that mimics Google Chrome. From there, it opens a backdoor in the system, capable of executing remote commands, injecting additional malware, and moving laterally across the network to compromise more machines.
You might also be interested in: What Is Ransomware? How to Prevent
Advanced Persistence Techniques
PipeMagic is not just another piece of malware:
- It creates encrypted communication channels using randomly named pipes.
- It loads additional modules from Azure cloud servers.
- It injects malicious code into legitimate processes like dllhost.exe to extract sensitive data from memory (e.g., Windows credentials).
These features allow it not only to survive inside compromised infrastructure but also to enhance its attack capabilities with each new version.
Who Has Been Targeted
Recent campaigns have affected organizations across diverse industries:
- IT and real estate in the United States
- Financial institutions in Venezuela
- Retail in Saudi Arabia
- Software companies in Spain
In every case, attackers deployed RansomExx, a ransomware known for encrypting large volumes of critical data and demanding multimillion-dollar ransoms.
Learn more: How to detect Medusa Ransomware with Wazuh?
Why This Should Concern You
The most worrying fact about PipeMagic is that it remains active in 2025, with improvements over previous versions. Researchers have found its operators refining techniques to spread deeper within networks and maintain long-term access.
This means that even if a system appears “clean,” the malware could still be hiding, ready to strike again.
How to Protect Your Business
At TecnetOne, we believe the best defense against threats like PipeMagic is a mix of prevention, proactive monitoring, and rapid response. Here are some key recommendations:
- Always keep Windows and applications updated.
- Verify software sources—avoid fake clients of popular apps.
- Monitor suspicious behaviors, such as hidden process creation or unusual memory use.
- Implement advanced security solutions that detect zero-day exploits and lateral movement in your network.
- Train your team to identify suspicious emails, files, and applications.
PipeMagic is a reminder that attackers don’t need to reinvent the wheel: they only need to exploit a flaw and stay one step ahead. At TecnetOne, we help you strengthen your infrastructure so that when new threats emerge, your business doesn’t end up exposed.