PipeMagic
PipeMagic is a modular backdoor framework linked to ransomware operations, most consistently attributed in the provided reporting to Microsoft-tracked Storm-2460 and associated with RansomEXX/Play-related activity. It has been described as a custom tool used to facilitate further system access and control, provide persistent access, enable remote access and command execution, and support ransomware staging and deployment.
Across the reporting, PipeMagic is characterized as a plugin- or module-based backdoor that operates largely in memory. Microsoft describes it as receiving modules over the network and through named pipes, storing them in memory using multiple doubly linked list structures, and using a dedicated networking module for TCP-based command-and-control. Reported capabilities include collecting and exfiltrating host information such as computer name, username, domain and system details; executing core functionality or specific modules on command; loading, invoking, interacting with, and deleting modules; enumerating running processes; recollecting system information; deleting itself; and updating itself in memory. Additional reporting states it can facilitate lateral movement, and Kaspersky/BI.ZONE identified communications, loading/injection, and AMSI-bypass-related modules in 2025 activity.
Observed delivery and infection vectors in the content include a trojanized or modified fake ChatGPT desktop application based on an open-source GitHub project, malicious in-memory droppers, abuse of MSBuild, malicious Microsoft Help Index files with obfuscated C# that decrypt shellcode, DLL hijacking via a trojanized Google update DLL, and web shells/JSP webshells deployed after exploitation of SAP NetWeaver CVE-2025-31324. Historical reporting in the content also says PipeMagic was first seen in 2022 in RansomExx attacks and had previously been spread via CVE-2017-0144. Multiple sources state PipeMagic was used together with Windows privilege-escalation vulnerabilities CVE-2025-29824 and CVE-2025-24983 to spread ransomware; Microsoft specifically says Storm-2460 deployed PipeMagic and then exploited CVE-2025-29824 in the Windows CLFS driver to escalate privileges before launching ransomware.
Targeting described in the content includes organizations in the IT, financial, real estate, retail, and manufacturing sectors, with victims or observed activity in the United States, Europe, South America, the Middle East, Saudi Arabia, Venezuela, Spain, and Brazil. One source also links PipeMagic deployment in SAP NetWeaver exploitation to BianLian in at least one incident.
High-confidence infrastructure and indicators directly mentioned in the content include the Azure-hosted C2/domain aaaaabbbbbbb.eastus.cloudapp.azure.com, beaconing to a known RansomEXX domain in one ReliaQuest observation, use of randomly named pipes such as \.\pipe\1., and local linkage to 127.0.0.1:8082 for payload transfer in one Kaspersky/BI.ZONE-described campaign. The malware has also been reported masquerading as a ChatGPT desktop application that may display a blank screen when executed.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Microsoft researchers have detailed a modular backdoor framework called “PipeMagic,” used by threat actors to stealthily deploy ransomware. | Microsoft observed the delivery of PipeMagic as part of staging activities prior to exploitation of the Windows Common Log File System privilege escalation vulnerability tracked as CVE-2025-29824. Once PipeMagic was set up on the system, Storm-2460 would use the flaw to escalate privileges and ultimately deploy their ransomware using the pipe delivery system.
PipeMagic, first seen in 2022 RansomExx attacks, is a backdoor enabling remote access and command execution. It was spread via CVE-2017-0144 in Windows SMB...
Ransomware groups and Chinese advanced persistent threat (APT) groups are targeting a critical vulnerability in SAP NetWeaver... The vulnerability, tracked as CVE-2025-31324, has a CVSS score of 10 and affects NetWeaver's Visual Composer development server. Threat actors can exploit the vulnerability using remote attacks to execute arbitrary code without authentication... SAP later confirmed it as an unrestricted file upload vulnerability... allowing attackers to upload malicious files directly to the system without authorization.
RansomEXX, also tracked as Storm-2460, is known for using the modular backdoor named PipeMagic. ReliaQuest observed the deployment of a PipeMagic sample beaconing to a known RansomEXX domain.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Microsoft researchers have detailed a modular backdoor framework called “PipeMagic,” used by threat actors to stealthily deploy ransomware.
Microsoft published a lengthy analysis of PipeMagic — a backdoor used by a threat actor they call Storm-2460... Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware.
"BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan"
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver..."
Execution
2 techniquesThe use of modular architecture, indirect C2 communications and transmission of payloads through inter-process pipes enhances the stealth and flexibility of the backdoor, making it more difficult to detect via traditional network detection methods.
"...staying hidden through encrypted named pipes..."
Persistence
1 technique"The attacks involved the delivery of PipeMagic by means of web shells dropped following the exploitation of the SAP NetWeaver flaw."
Privilege Escalation
1 techniqueMicrosoft observed the delivery of PipeMagic as part of staging activities prior to exploitation of the Windows Common Log File System privilege escalation vulnerability tracked as CVE-2025-29824. Once PipeMagic was set up on the system, Storm-2460 would use the flaw to escalate privileges and ultimately deploy their ransomware using the pipe delivery system.
Stealth
4 techniques"...includes malicious code to decrypt and launch an embedded payload in memory." / "...hidden through encrypted named pipes..."
PipeMagic is used by the threat group known as Storm-2460 and is spread through impersonation of a legitimate open-source ChatGPT desktop application tool.
"...even rename the backdoor executable for self-deletion."
"...malicious in-memory dropper... decrypt and launch an embedded payload in memory." / "...staying hidden through encrypted named pipes and in-memory operations."
Discovery
2 techniquesWhen communication with the C2 is first established, the malware collects comprehensive system information and transmits it back to the C2 via the network module.
Command and Control
2 techniquesA networking module is also established to facilitate indirect communications with the attacker’s command-and-control (C2) server over the Transmission Control Protocol (TCP).
When a new payload module is delivered through the pipe, the malware allocates memory and adds the payload contents to the designated linked list.
Exfiltration
1 technique"...before receiving instructions on what modules to run or which data to exfiltrate."
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used in intrusion chain for RansomExx ransomware; deployed after exploiting a Windows CLFS privilege escalation flaw (CVE-2025-29824).
Trojan deployed after exploitation of SAP NetWeaver; also reported exploiting a Windows CLFS zero-day to deploy ransomware.
Backdoor used in conjunction with privilege escalation vulnerabilities to facilitate ransomware deployment.
PipeMagic is a backdoor used to facilitate the spread of ransomware, leveraging Windows privilege escalation vulnerabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.