Security researchers have uncovered a sophisticated attack campaign where threat actors are exploiting Microsoft Help Index Files (.mshi) as a novel delivery mechanism for the PipeMagic backdoor, culminating in the exploitation of CVE-2025-29824, a critical Windows vulnerability patched by Microsoft in April 2025.
The campaign represents a significant evolution in the tactics employed by the Storm-2460 threat group, demonstrating their continued adaptation and persistence in targeting organizations worldwide.
Advanced Loading Mechanism Through Help Index Files
The attackers have developed an innovative approach using Microsoft Help Index Files as initial loaders, marking a departure from their previous methods.
In the 2025 campaign, researchers identified a specific sample with MD5 hash 5df8ee118c7253c3e27b1e427b56212c named “metafile.mshi” that contains obfuscated C# code and an extensive hexadecimal string.
The malicious payload is executed through Microsoft’s MSBuild utility using the command line: c:\windows\system32\cmd.exe "/k c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe c:\windows\help\metafile.mshi".
The embedded C# code serves dual purposes: decrypting and executing shellcode that has been encrypted using the RC4 stream cipher with the key “4829468622e6b82ff056e3c945dd99c94a1f0264d980774828aadda326b775e5”.
After successful decryption, the resulting shellcode is executed via the WinAPI function EnumDeviceMonitor, where the decrypted shellcode pointer is inserted as the third parameter. In contrast, the first two parameters are set to zeros.
CVE-2025-29824 Exploitation and Ransomware Deployment
The PipeMagic malware subsequently exploits CVE-2025-29824, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) that was actively exploited against organizations across multiple sectors, including IT, real estate, financial services, and retail.
Microsoft’s analysis revealed that the exploit targets a vulnerability in the CLFS kernel driver and creates a distinctive CLFS BLF file at the path “C:\ProgramData\SkyPDF\PDUDrv.blf” during exploitation.
Following successful privilege escalation, the threat actors inject payloads into system processes like winlogon.exe and deploy the Sysinternals procdump.exe tool to dump LSASS memory for credential extraction.
The campaign culminates in ransomware deployment, with encrypted files receiving random extensions and ransom notes named “!READ_ME_REXX2!.txt” being dropped on compromised systems.
Microsoft has attributed this activity to Storm-2460 and noted connections to the RansomEXX ransomware family through specific .onion domains found in the ransom notes.
The evolution of PipeMagic from its first detection in 2022 to these sophisticated 2025 campaigns demonstrates the persistent nature of this threat, with continued targeting of organizations in Saudi Arabia and Brazil while expanding delivery mechanisms to evade detection.
IoCs
Domains
aaaaabbbbbbb.eastus.cloudapp.azure[.]com
Hashes
5df8ee118c7253c3e27b1e427b56212c metafile.mshi
60988c99fb58d346c9a6492b9f3a67f7 chatgpt.exe
7e6bf818519be0a20dbc9bcb9e5728c6 chatgpt.exe
e3c8480749404a45a61c39d9c3152251 googleupdate.dll
1a119c23e8a71bf70c1e8edf948d5181
bddaf7fae2a7dac37f5120257c7c11ba
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=PipeMagic Malware - Security researchers have uncovered a sophisticated attack campaign where threat actors are exploiting Microsoft.){kind=link}