Last seven days
- First activity
- Jul 12, 2026
- Last activity
- Jul 12, 2026
- Feed role
- C2
- Host form
- 0 IP / 1 hostnames
PipeMagic is a modular Windows backdoor associated with financially motivated ransomware activity, most notably operations linked to Storm-2460 and the RansomExx ecosystem.
Profile source: Mallory opens in a new tabPipeMagic
PipeMagic is a modular Windows backdoor associated with financially motivated ransomware activity, most notably operations linked to Storm-2460 and the RansomExx ecosystem. First observed in 2022, it has remained active through later campaigns in the Middle East and Brazil and has been used as a staging and persistence framework before ransomware deployment. PipeMagic has also been reported in intrusions involving exploitation of SAP NetWeaver and Windows privilege-escalation vulnerabilities, including CVE-2025-29824.
The malware is designed to provide persistent remote access and flexible post-compromise control through a plugin-based architecture. It is commonly deployed in memory and uses named pipes together with a localhost communication mechanism to pass modules and payloads internally. PipeMagic can establish command-and-control communications over TCP, collect host and user information, receive and manage additional modules in memory, execute commands, enumerate processes, delete modules, and remove itself. Reported plugins extend functionality with file I/O handling, payload loading, and .NET execution, including AMSI bypass to facilitate in-memory execution of follow-on payloads.
Observed delivery methods include trojanized software, a fake ChatGPT desktop application used as a lure, malicious help-file based loaders, DLL hijacking, MSBuild abuse, and deployment through web shells after server-side exploitation. Earlier activity also involved exploitation of CVE-2017-0144 for initial access. In ransomware intrusions, operators have used PipeMagic before exploiting local privilege-escalation flaws to obtain SYSTEM privileges and then deploy ransomware. Associated post-exploitation activity has included credential theft via LSASS dumping and actions supporting lateral movement.
Victims have included industrial, IT, financial, real estate, retail, manufacturing, and enterprise environments across Southeast Asia, the Middle East, South America, Europe, and the United States. PipeMagic is notable for its stealth-oriented modular design, in-memory operation, and role as an extensible access platform that supports ransomware operators through persistence, payload delivery, privilege escalation workflows, credential access, and broader post-compromise control.
Samples
Reported operators
Microsoft researchers have detailed a modular backdoor framework called “PipeMagic,” used by threat actors to stealthily deploy ransomware.
Microsoft published a lengthy analysis of PipeMagic — a backdoor used by a threat actor they call Storm-2460... Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware.
"BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan"
Exploited software
MITRE ATT&CK
Reporting
For related cleanup planning, see Trojan Killer’s RAT, backdoor, and stealer cleanup hub, the PipeMagic backdoor removal guide, and our coverage of The Gentlemen ransomware worm-spread cleanup.
The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign.
...deploy the PipeMagic malware in RansomExx ransomware attacks.
The logging system has taken a high number of patches in the past few years, including recently seen abuse by both Play and PipeMagic malware of CVE-2025-29824, which was patched last month.
Caveza also drew attention to two escalation of privilege flaws, CVE-2025-24983 in the Windows kernel, and CVE-2025-29824, in the Windows common log file system driver, because both were used with the PipeMagic backdoor to spread ransomware.
CVE-2025-24983 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Used with the PipeMagic backdoor to spread ransomware. CVE-2025-29824 ... Abused by the PipeMagic backdoor in order to spread ransomware.
Laut Microsoft wird die Schwachstelle in Verbindung mit einer Backdoor-Malware namens PipeMagic eingesetzt. Im Anschluss nutzen die Angreifer:innen die erlangten Systemrechte, um Ransomware großflächig innerhalb der Umgebung zu verteilen und auszuführen.
CTI Roundup: Malicious Python Packages, PipeMagic, Noodlophile Stealer | Tanium
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.