Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

Aug. 19, 2025, 4:46 p.m.

Description

PipeMagic is a sophisticated modular backdoor used by the Storm-2460 threat actor, disguised as a legitimate ChatGPT Desktop Application. It employs a highly flexible architecture with multiple linked list structures for payload management, execution, and networking. The malware communicates with its command and control server via a dedicated networking module and can dynamically load and execute various payload modules. PipeMagic's design allows for stealthy operation and granular control over compromised hosts, making detection and analysis challenging. The threat actor has targeted multiple sectors across different geographies, using PipeMagic in conjunction with a zero-day exploit to deploy ransomware.

External References

https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
https://otx.alienvault.com/pulse/68a3aebbf92e6f27e1be7207
Tags
backdoor
ransomware
windows
zero-day
modular
chatgpt
CVE-2025-29824
clfs
pipemagic
2025-08-18

Date

  • Created: Aug. 18, 2025, 10:52 p.m.
  • Published: Aug. 18, 2025, 10:52 p.m.
  • Modified: Aug. 19, 2025, 4:46 p.m.

Indicators

  • dc54117b965674bad3d7cd203ecf5e7fc822423a3f692895cf5e96e83fb88f6a
  • 4843429e2e8871847bc1e97a0f12fa1f4166baa4735dff585cb3b4736e3fe49e
  • 297ea881aa2b39461997baf75d83b390f2c36a9a0a4815c81b5cf8be42840fd1
  • http://aaaaabbbbbbb.eastus.cloudapp.azure.com:443
Download all indicators here!

Attack Patterns

  • PipeMagic
  • Storm-2460

Additional Informations

  • Real Estate
  • Information Technology
  • Financial
  • United States of America

Linked vulnerabilities

CVE-2025-29824

7.8
    windows_common_log_file_system_driver
Published: April 8, 2025