On 19 August 2025, Kaspersky and BI.ZONE disclosed the reemergence of the PipeMagic backdoor, a malware strain first identified in 2022. The campaign, initially limited to Asia, has now spread to Saudi Arabia and Brazil, exploiting a new Microsoft zero-day (CVE-2025-29824). The findings underscore the persistence of state-aligned and financially motivated attackers targeting critical infrastructure across multiple regions.
PipeMagic was first discovered by Kaspersky GReAT in December 2022 during investigations into a RansomExx campaign against industrial firms in Southeast Asia. Attackers used CVE-2017-0144 (EternalBlue) to infiltrate networks, with PipeMagic deployed as a backdoor capable of operating as both a remote access trojan (RAT) and a network proxy【source】.
Middle East Activity in 2024
In October 2024, PipeMagic reappeared in Saudi Arabia, delivered via a fake ChatGPT agent application. That variant used the Tokio and Tauri frameworks, the libaes library, and employed new persistence mechanisms to evade detection【source】.
2025 Campaign: GCC and Latin America in Focus
Exploiting CVE-2025-29824
According to Kaspersky and BI.ZONE, the April 2025 Microsoft Patch Tuesday included 121 fixes, but only one was confirmed as exploited in the wild: CVE-2025-29824, a privilege escalation bug in the clfs.sys logging driver. PipeMagic operators integrated an exploit for this flaw directly into their infection chain, enabling post-exploitation concealment and system takeover.
Technical Innovations
- Use of a Microsoft Help Index file to decrypt and execute shellcode.
- RC4 encryption with a hex key, decrypted and executed via EnumDisplayMonitors API.
- Loader variants masquerading as a ChatGPT client, echoing Saudi incidents in 2024.
These refinements allowed PipeMagic to bypass defenses and achieve persistence within enterprise networks.
Regional Targets
- Saudi Arabia (late 2024 – 2025): Ongoing attacks against local organizations, with an emphasis on industrial and critical infrastructure sectors.
- Brazil (2025): Expansion into manufacturing firms, indicating a shift toward Latin American industrial targets.
Expert Commentary
“The reemergence of PipeMagic confirms that this malware remains active and continues to evolve. The 2024 versions introduced enhancements that improve persistence within victims’ infrastructures and facilitate lateral movement within targeted networks,”
— Leonid Bezvershenko, Senior Security Researcher, Kaspersky GReAT (19 August 2025).
“In recent years, clfs.sys has become an increasingly popular target for cybercriminals, particularly financially motivated actors. They are leveraging zero-day vulnerabilities in this and other drivers to escalate privileges and conceal post-exploitation activities. To mitigate such threats, we recommend using EDR tools for early and post-exploitation detection,”
— Pavel Blinnikov, Vulnerability Research Lead, BI.ZONE (19 August 2025).
MEA Perspective
Saudi Arabia’s continued targeting highlights the region’s attractiveness to attackers. As the Kingdom accelerates Vision 2030 digital transformation initiatives, adversaries are exploiting cybersecurity gaps in manufacturing and energy sectors. Regional regulators such as Saudi Arabia’s National Cybersecurity Authority (NCA) have repeatedly urged organizations to adopt stricter controls for OT/ICS networks, but the PipeMagic incidents reveal persistent challenges in patching and detection.
MITRE ATT&CK Mapping (Observed TTPs)
| Tactic | Technique | Example from PipeMagic |
|---|---|---|
| Initial Access | T1566 | Malicious Help Index file execution |
| Execution | T1059.003 | PowerShell injection through WinAPI |
| Persistence | T1547 | Fake ChatGPT loader with persistence features |
| Privilege Escalation | T1068 | CVE-2025-29824 (clfs.sys) |
| Defense Evasion | T1027 | RC4 encryption of payloads |
| Command & Control | T1090 | Proxy functionality of PipeMagic backdoor |
| Impact | T1490 | Lateral movement and infrastructure disruption |
Actionable Takeaways for Defenders
- Apply April 2025 Microsoft patches, prioritizing CVE-2025-29824 across Windows systems.
- Deploy EDR/XDR solutions to detect privilege escalation and lateral movement attempts.
- Audit installed applications to identify rogue or trojanized apps (e.g., fake ChatGPT clients).
- Segment OT/ICS and IT networks to reduce lateral spread of malware.
- Harden driver-level defenses, monitoring for unusual clfs.sys interactions.
- Block suspicious binaries masquerading as Help Index files.
- Train employees on social engineering threats that enable initial compromise (awareness training).
- Conduct proactive threat hunting for indicators tied to PipeMagic campaigns.
- Share IOCs with trusted threat intelligence networks for cross-sector defense.
- Simulate attack scenarios to test organizational resilience against privilege escalation exploits.
Conclusion
The PipeMagic comeback is a stark reminder that sophisticated backdoors evolve across years and regions. From its origins in Asia to recent campaigns in Saudi Arabia and Brazil, the malware demonstrates the attackers’ adaptability and persistence. With CVE-2025-29824 actively exploited, defenders must treat privilege escalation in drivers as a frontline risk. Proactive patching, cross-network segmentation, and EDR adoption are now critical to stop the next wave before it spreads deeper into global infrastructure.
