Exploitation of CLFS zero-day leads to ransomware activity

Description

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege escalation and ransomware deployment. The vulnerability, CVE-2025-29824, was patched on April 8, 2025. The attack involves downloading malicious MSBuild files, using PipeMagic, and exploiting CLFS to inject payloads into system processes. Post-exploitation activities include credential theft and ransomware deployment, with similarities to RansomEXX. Microsoft recommends immediate patching and provides mitigation strategies, detection methods, and hunting queries to counter this threat.