Hackers are disguising a strong pressure of malware as a ChatGPT desktop software in preparation for ransomware assaults, in accordance with Microsoft.
The corporate on Monday published a prolonged evaluation of PipeMagic — a backdoor utilized by a risk actor they name Storm-2460.
The group has allegedly used the malware as a part of its exploitation of a zero-day vulnerability beforehand revealed in April. After exploiting the bug, the group deploys ransomware. Microsoft stated it has seen Storm-2460 goal “a number of sectors and geographies, together with the data know-how (IT), monetary, and actual property sectors in the US, Europe, South America, and Center East.”
“Whereas the impacted organizations stay restricted, the usage of a zero-day exploit, paired with a complicated modular backdoor for ransomware deployment, makes this risk significantly notable,” Microsoft researchers stated.
The research backs up studies from the cybersecurity agency Kaspersky, which said in October that it noticed cybercriminals utilizing a pretend ChatGPT software as bait to deploy the backdoor towards entities in Asia and in Saudi Arabia. Kaspersky beforehand stated the malware permits risk actors to steal delicate data and presents distant entry to compromised gadgets.
Kaspersky initially noticed PipeMagic utilized in 2022 throughout assaults on entities in Asia, after which noticed a resurgence in the usage of the software in September 2024. When the malicious ChatGPT software is opened, victims solely see a clean display screen with no seen interface.
Researchers at ESET discovered the corresponding zero-day — tracked as CVE-2025-29824 — in March. The bug impacts Home windows Frequent Log File System Driver (CFLS), which is a frequent target of ransomware gangs.
The logging framework was first launched by Microsoft in Home windows Server 2003 R2 and included in later Home windows working techniques. It successfully permits customers to document a sequence of steps required for some actions in order that they are often both reproduced precisely or undone.
Within the advisory on Monday, Microsoft stated PipeMagic is a complicated malware software designed to supply hackers flexibility and persistence in a sufferer’s system.
The malware’s design makes it tough to detect, and Microsoft’s Risk Intelligence staff stated it encountered PipeMagic whereas researching the exploitation of the zero-day.
The hackers use a modified model of GitHub’s open-source ChatGPT venture that features malicious code to decrypt and launch an embedded payload.
“As soon as PipeMagic is working, the risk actor performs the CLFS exploit to escalate privileges earlier than launching their ransomware,” Microsoft stated.
They didn’t say what ransomware pressure was deployed within the assaults. Kaspersky stated in a new blog post on Monday that it noticed PipeMagic used alongside a RansomExx ransomware marketing campaign.
The cybersecurity agency Symantec said in Might that actors tied to the Play ransomware group had been additionally seen utilizing CVE-2025-29824 in assaults.
Recorded Future
Intelligence Cloud.