Microsoft has delved into the inner workings of PipeMagic, a modular backdoor used in multiple ransomware attacks since the beginning of this year.
Posing as a legitimate open source ChatGPT Desktop Application, PipeMagic is a sophisticated malware framework that provides attackers with persistent access to the compromised system.
The backdoor uses modules for its various capabilities, such as command-and-control (C&C) communication, and is able to dynamically execute payloads and provide the attackers with granular control over code execution, Microsoft explains.
“By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging,” the company notes.
Attributed to the financially motivated threat actor tracked as Storm-2460, associated with the RansomEXX ransomware, PipeMagic has been used in attacks exploiting a Windows zero-day tracked as CVE-2025-29824, against organizations in the US, Europe, South America, and the Middle East.
“While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable,” Microsoft says.
As part of the observed attacks, PipeMagic was deployed in memory. Once up and running, the malware received its modules through a named pipe, and stored them in memory using doubly linked lists.
The malware was observed using four doubly linked list structures, three for storing raw payload modules, modules already loaded in memory, and networking modules, and another believed to be leveraged dynamically by loaded payloads.
After the networking module establishes C&C communication, the backdoor collects extensive system information and sends it to the server, and then waits for commands to execute.
Based on the received C&C response, the backdoor can execute core functionality, execute a specific module, send a message to the C&C, shut down the networking module and C&C communication, or invoke all modules with specific arguments.
Backdoor functionality supported by PipeMagic allows it to interact with modules, delete modules and itself, enumerate running processes, and recollect system information.
“As malware continues to evolve and become more sophisticated, we believe that understanding threats such as PipeMagic is essential for building resilient defenses for any organization. By exposing the inner workings of this malware, we also aim to disrupt adversary tooling and increase the operational cost for the threat actor, making it more difficult and expensive for them to sustain their campaigns,” Microsoft notes.
Related: Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day
Related: Ransomware Groups, Chinese APTs Exploit Recent SAP NetWeaver Flaws
Related: BadCam: New BadUSB Attack Turns Linux Webcams Into Persistent Threats
Related: New FinalDraft Malware Spotted in Espionage Campaign
