The magical comeback: Kaspersky and BI.ZONE report new PipeMagic activity in the GCC and Latin America

Kaspersky’s Global Research and Analysis Team (GReAT) in collaboration with BI.ZONE Vulnerability Research experts, observed new 2025 activity associated with the PipeMagic backdoor originally discovered in December 2022. The backdoor has expanded its attack geography: initially observed in Asia, and afterwards detected in Saudi Arabia in late 2024. Recent attacks show sustained interest in Saudi organizations, alongside expansion into new regions, notably manufacturing companies in Brazil.

The researchers tracked the malware’s evolution, identified key changes in the operators’ tactics, and conducted a technical analysis of Microsoft vulnerability CVE-2025-29824. This vulnerability was the only one among the 121 patched in April 2025 that was actively exploited in the wild. It was specifically targeted by an exploit integrated into the PipeMagic infection chain. The vulnerability allowed privilege escalation in the operating system due to a flaw in the clfs.sys logging driver.

One of the 2025 campaign attacks leveraged a Microsoft Help Index File, which serves two purposes: decrypting and executing shellcode. The shellcode is encrypted using the RC4 stream cipher with a hexadecimal key. Once decrypted, the code is executed via the WinAPI EnumDisplayMonitors function, allowing dynamic resolution of system API addresses through process injection.

Researchers also identified updated versions of the PipeMagic loader masquerading as a ChatGPT client. This application resembles the one used in the 2024 attacks on Saudi organizations — sharing the same Tokio and Tauri frameworks, the same libaes library version, and demonstrating similar file structures and behavior.

“The reemergence of PipeMagic confirms that this malware remains active and continues to evolve. The 2024 versions introduced enhancements that improve persistence within victims’ infrastructures and facilitate lateral movement within targeted networks,” comments Leonid Bezvershenko, senior security researcher at Kaspersky GReAT.

“In recent years, clfs.sys has become an increasingly popular target for cybercriminals, particularly financially motivated actors. They are leveraging zero-day vulnerabilities in this and other drivers to escalate privileges and conceal post-exploitation activities. To mitigate such threats, we recommend using EDR tools, which enable both early and post-exploitation detection of suspicious behavior,” notes Pavel Blinnikov, Vulnerability Research Lead, BI.ZONE.

PipeMagic is a backdoor first discovered by Kaspersky in 2022 during an investigation into a malicious campaign involving RansomExx. Victims at the time included industrial companies in Southeast Asia. The attackers exploited the CVE-2017-0144 vulnerability to gain access to internal infrastructure.

The backdoor supports two operational modes — functioning either as a full-featured remote access tool or as a network proxy, enabling execution of a wide range of commands. In October 2024, a new iteration of PipeMagic was observed in attacks against organizations in Saudi Arabia, using a fake ChatGPT agent application as a lure.