Threat actors with links to the PlayRansomware family used a security flaw recently patched in Microsoft Windows as a zero day as part of an attack targeting unnamed US organizations.
According to the Symantec Threat Hunter team, part of Broadcom, the attack that leverages CVE-2025-29824 is a privilege escalation flaw in the Common Log File System (CLFS) driver. The patch was applied by Microsoft last month.
Also known as BalloonFly and PlayCrypt, Play is known for its double-target tactics. This tactic involves extending sensitive data before encryption in exchange for ransom. It has been active since at least mid-2022.
It is said that the activity observed by Symantec likely led threat actors to leverage public Cisco Adaptive Security Appliances (ASAs) as entry points using undecided methods to move to another Windows machine on the target network.
This attack is notable for its use of Grixba, a custom-made information steeler previously due to play and an exploit of CVE-2025-29824 that was dropped into the music folder.
It has also been observed that threat actors are running running commands to collect information about all available machines in the victim’s Active Directory and save the results to a CSV file.
“While the exploit is running, two files are created with path C:\ProgramData\skypdf,” explained Symantec. “The first file, pddrv.blf, is a general log file system-based log file, an artifact created during exploitation.”
“The second file, clssrv.inf, is a DLL that is injected into the winlogon.exe process. This DLL has the ability to drop two additional batch files.”
One batch file called “servtask.bat” is used to escalate privileges, dump hives in SAM, system, and security registry, create a new user named “localsvc” and create them in the Administrators group. The other batch file “cmdpostfix.bat” is used to clean up traces of exploitation.
Symantec said no ransomware payloads were deployed in the intrusion. The findings show that the exploit for CVE-2025-29824 may be available to multiple threat actors before it is fixed by Microsoft.
It is worth noting that the nature of exploitation detailed by the cybersecurity company does not overlap with another activity cluster and another dubbed activity cluster that Microsoft revealed to weaponize the flaws with a limited set of attacks to provide Trojan-sprayed plumbing.
CVE-2025-29824 exploitation points to trends in ransomware actors using zero-days to permeate targets. Last year, Symantec revealed that Black Basta Group may have used CVE-2024-26169 to use privilege escalation in the Windows Error Reporting Service as a zero day.
New “Bring Your Own Installer” EDR bypass used in Babuk ransomware attacks
This disclosure details the Aon’s Stroz Friedberg Incide Response service, a local bypass technology called Bring Your Own Installer, which is being exploited by threat actors, disables Endpoint Security Software and deploys Babuk ransomware.
Attacks target sentinellone endpoint detection and response (EDR) systems, by company.
“Bring Your Own Installer is a technique that threat actors can use to bypass EDR protection on a host via timing termination of the agent update process when it is improperly configured,” said Aon researchers John Ailes and Tim Mashni.
This approach is notable because it does not rely on vulnerable drivers or other tools to disarm security software. Rather, it takes advantage of the time window of the agent upgrade process to terminate running EDR agents and not protect the devices.
Specifically, installing another version of software using an MSI file will abuse the fact that it will cause Windows processes to be terminated that are already running before the update is performed.
Bring’s own installer attacks involve basically running a legitimate installer and forcing the installation process to terminate by issuing the “TaskKill” command after shutting down any running services.
“The final result was a system without Sentineln protection because the old version of the Sentinelon process was terminated during the upgrade and the new process was interrupted before spawning,” the Aon researcher said.
Sentinelone, who said that this technique could be applied to other endpoint protection products, has deployed an update to its local upgrade authentication feature to mitigate such bypasses from occurring again. This includes enabling all new customers by default.
This disclosure reveals that Cisco has adopted Hrsword as part of its attack chain by a ransomware family known as Crytox to turn off endpoint security protections.
Hrsword has been previously observed in attacks that deliver Babylockerkz and Phobos ransomware stocks, as well as attacks designed to terminate Ahnlab’s security solutions in Korea.
New ransomware trends
Ransomware attacks have increased the vision of domain controllers to violate organizations, allowing threat actors to gain access to privileged accounts and enter into weapons with centralized network access to encrypt hundreds or even thousands of systems.
“More than 78% of human-manipulated cyberattacks, threat actors have successfully violated domain controllers,” Microsoft revealed last month.
“In addition, in over 35% of cases, the main spreader devices (systems that distribute ransomware at scale) are domain controllers, highlighting their important role in enabling encryption and operational disruption.”
Other ransomware attacks detected in recent months have leveraged new ransomware (RAAS), known as Playboy Lockers, offering relatively unskilled cybercriminals with a comprehensive toolkit including ransomware payloads, management dashboards and support services.
“The Playboy Locker Raas Platform offers many options for building ransomware binaries targeting Windows, NAS, and ESXi systems, enabling tailored configurations to suit a variety of operational requirements,” Cybereason says. “The Playboy Locker Raas operators promote regular updates, detection prevention features, and even affiliate customer support.”
The development coincides with the launch of Ransomware Cartel by Dragonforce, an e-Crime group that insisted on controlling Ransomhub, a RAAS scheme that suddenly stopped operating at the end of March 2025.
White-Label Branding Service is designed to allow affiliates to disguise Dragonforce ransomware as separate stocks at an additional fee. Threat actors claim they account for 20% of ransomware payments, allowing affiliates to maintain the remaining 80%.
Dragonforce was launched in August 2023 and established itself as a Palestinian hacktivist operation before it evolved into a full-scale ransomware business. Over the past few weeks, the Raas Syndicate has been drawing attention to targets from UK retailers such as Harrods, Marks, Spencer and The Co-op.
“The move shows the group’s desire to raise its profile in the crime landscape by enabling the ecosystem, along with the Dragon Force promoting the brand itself as a ‘ransomware cartel’,” Sentinelon said. “Under this model, Dragonforce will provide infrastructure, malware and ongoing support services, and affiliates will run campaigns under their own branding.”
According to a report by BBC News, the attacks targeting the UK retail sector are believed to have been coordinated by the infamous threat groups and Ransomhub affiliate (aka Octo Tempest or UNC3944), known as scattered spiders.
“It’s plausible that threat actors, including UNC3944, view retail organizations as attractive targets. Given that they usually have a large amount of personally identifiable information (PII) and financial data,” says Mandiant, Google-owned.
“In addition, these companies may be more likely to pay ransom demand if ransomware attacks affect their ability to handle financial transactions.”
Ransomware attacks saw a 25% increase in 2024, with the number of ransomware group leak sites increasing by 53%. Fragmentation is the arrival of smaller, more agile gangs, with each bitsight, not always having the resources to tackle such threats.
“The spread of ransomware groups means law enforcement is increasing faster than they close them, and focusing on small organizations means that everyone can be a target.”
Source link
