Microsoft has revealed that a currently patched security flaw affecting Windows Common Log File System (CLFS) has been exploited as a zero-day for ransomware attacks targeting a small number of targets.
“The goals include organizations in the Information Technology (IT) and the US real estate sector, the Venezuela financial sector, the Spanish software company, and the Saudi Arabia retail sector,” Tech Giant said.
The vulnerability in question is CVE-2025-29824. This is a CLF privilege escalation bug that can be exploited to achieve system privileges. Fixed by Redmond as part of the Tuesday update in April 2025.
Microsoft is tracking the activity and post-compromise activities of CVE-2025-29824 based on Monica’s Storm-2460, and threat actors will leverage malware named Pipemagic to provide exploits and ransomware payloads.
The exact initial access vector used in the attack is currently unknown. However, threat actors have been observed using the Certutil utility, downloading malware from legitimate third-party sites that they previously compromised to set the payload.
Malware is a malicious MSBuild file containing an encrypted payload and is unpacked to launch Pipemagic, a plugin-based trojan that has been detected in the wild since 2022.
It is worth mentioning here that CVE-2025-29824 is a flaw in the second Windows Zero-Day that will be delivered via Pipemagic after CVE-2025-24983.
Previously, plumbing agents were observed in connection with a Nokoya Warrantomware attack that exploited another CLFS zero-day defect (CVE-2023-28252).
“In some of the other attacks that we attribute to the same actor, before exploiting the major vulnerability in CLFS, we observed that the victim’s machine was infected with a custom modular backdoor named “Pipemagic” that is launched via an MSBuild script.
It is important to note that Windows 11 version 24H2 is not affected by this particular exploitation, as access to certain system information classes within ntquerysysteminformation is usually restricted to users with SedebugPrivilege that can only be obtained by users like administrators.
“Exploits target CLFS kernel driver vulnerabilities,” explained the Microsoft Threat Intelligence team. “Exploits utilize memory corruption and the RTLSetAllbits API to overwrite the exploit process token with the value 0xffffffffff, allowing all privileges of the process and allowing process injection into system processes.”
The successful exploitation is followed by threat actors who extract user credentials by dumping LSASS memory and encrypting files on the system with random extensions.
Microsoft said it could not retrieve ransomware samples for analysis, but said that after encryption, the ransom notes contain a TOR domain tied to the ransomexx ransomware family.
“Ransomware threat actors value post-compromise promotions in privileged exploits, which can allow them to escalate initial access, including handoffs from commodity malware distributors to privileged access,” Microsoft said. “They will then use privileged access to the widespread deployment and explosion of ransomware within their environment.”
Source link
