Skip to content
Malware family Windows

PipeMagic

PipeMagic is a modular Windows backdoor associated with financially motivated ransomware activity, most notably operations linked to Storm-2460 and the RansomExx ecosystem.

Profile source: Mallory opens in a new tab

PipeMagic

Family profile

PipeMagic is a modular Windows backdoor associated with financially motivated ransomware activity, most notably operations linked to Storm-2460 and the RansomExx ecosystem. First observed in 2022, it has remained active through later campaigns in the Middle East and Brazil and has been used as a staging and persistence framework before ransomware deployment. PipeMagic has also been reported in intrusions involving exploitation of SAP NetWeaver and Windows privilege-escalation vulnerabilities, including CVE-2025-29824.

The malware is designed to provide persistent remote access and flexible post-compromise control through a plugin-based architecture. It is commonly deployed in memory and uses named pipes together with a localhost communication mechanism to pass modules and payloads internally. PipeMagic can establish command-and-control communications over TCP, collect host and user information, receive and manage additional modules in memory, execute commands, enumerate processes, delete modules, and remove itself. Reported plugins extend functionality with file I/O handling, payload loading, and .NET execution, including AMSI bypass to facilitate in-memory execution of follow-on payloads.

Observed delivery methods include trojanized software, a fake ChatGPT desktop application used as a lure, malicious help-file based loaders, DLL hijacking, MSBuild abuse, and deployment through web shells after server-side exploitation. Earlier activity also involved exploitation of CVE-2017-0144 for initial access. In ransomware intrusions, operators have used PipeMagic before exploiting local privilege-escalation flaws to obtain SYSTEM privileges and then deploy ransomware. Associated post-exploitation activity has included credential theft via LSASS dumping and actions supporting lateral movement.

Victims have included industrial, IT, financial, real estate, retail, manufacturing, and enterprise environments across Southeast Asia, the Middle East, South America, Europe, and the United States. PipeMagic is notable for its stealth-oriented modular design, in-memory operation, and role as an extensible access platform that supports ransomware operators through persistence, payload delivery, privilege escalation workflows, credential access, and broader post-compromise control.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Privilege Escalation

Observed infrastructure

Last seven days

First activity
Jul 12, 2026
Last activity
Jul 12, 2026
Feed role
C2
Host form
0 IP / 1 hostnames

Samples

Recent associated samples

Reported operators

Threat actors

3 named in public reporting
RansomEXX

Microsoft researchers have detailed a modular backdoor framework called “PipeMagic,” used by threat actors to stealthily deploy ransomware.

Play

Microsoft published a lengthy analysis of PipeMagic — a backdoor used by a threat actor they call Storm-2460... Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware.

BianLian

"BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan"

Exploited software

Vulnerabilities linked to PipeMagic

4 CVEs

MITRE ATT&CK

PipeMagic in ATT&CK

25 distinct techniques

Reporting

Research mentioning PipeMagic

Jul 9
Trojan Killer News

GigaWiper Backdoor Can Wipe Disks on Command

For related cleanup planning, see Trojan Killer’s RAT, backdoor, and stealer cleanup hub, the PipeMagic backdoor removal guide, and our coverage of The Gentlemen ransomware worm-spread cleanup.

May 21
Securelist

PipeMagic in 2025: How the backdoor operators’ tactics have changed | Securelist

The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign.

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

...deploy the PipeMagic malware in RansomExx ransomware attacks.

Jan 1
Sophos Threat Research

Microsoft primes 71 fixes for May Patch Tuesday | SOPHOS

The logging system has taken a high number of patches in the past few years, including recently seen abuse by both Play and PipeMagic malware of CVE-2025-29824, which was patched last month.

Dec 30
Cso Online

Patch Tuesday 2025 roundup: The biggest Microsoft vulnerabilities of the year

Caveza also drew attention to two escalation of privilege flaws, CVE-2025-24983 in the Windows kernel, and CVE-2025-29824, in the Windows common log file system driver, because both were used with the PipeMagic backdoor to spread ransomware.

Dec 10
Tenable

Microsoft Patch Tuesday 2025 Year in Review

CVE-2025-24983 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Used with the PipeMagic backdoor to spread ransomware. CVE-2025-29824 ... Abused by the PipeMagic backdoor in order to spread ransomware.

Sep 4
Cert At Security Advisories

Microsoft-Patchday behebt aktiv ausgenutzte Sicherheitslücke

Laut Microsoft wird die Schwachstelle in Verbindung mit einer Backdoor-Malware namens PipeMagic eingesetzt. Im Anschluss nutzen die Angreifer:innen die erlangten Systemrechte, um Ransomware großflächig innerhalb der Umgebung zu verteilen und auszuführen.

Aug 26
Tanium

CTI Roundup: Malicious Python Packages, PipeMagic, Noodlophile Stealer

CTI Roundup: Malicious Python Packages, PipeMagic, Noodlophile Stealer | Tanium

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.