“Promised a safe ChatGPT, got a trojan with a three-year history.” An “old friend” of admins has resurfaced.

Microsoft patched 121 vulnerabilities — but missed the one that mattered. And PipeMagic came back to life.

Microsoft patched 121 vulnerabilities — but missed the one that mattered. And PipeMagic came back to life.
In April 2025, Microsoft closed 121 flaws in its products, but only one of them — CVE-2025-29824 — was being actively exploited in real-world attacks. That exploitation was carried out via the malware PipeMagic, first discovered in December 2022 during a campaign involving the ransomware RansomExx. Back then, the victims were industrial companies in Southeast Asia, with initial access gained through CVE-2017-0144. The loader was a trojanized version of the popular Rufus utility, and the backdoor itself functioned both as a remote administration tool and a network gateway, capable of executing a wide range of commands.
Two years later, PipeMagic resurfaced — in October 2024 it was deployed against organizations in Saudi Arabia. This time, the attackers abandoned known exploits in favor of social engineering: victims were lured into installing a fake ChatGPT client. Written in Rust with the Tauri and Tokio frameworks, the program displayed a blank window upon launch, while in reality extracting an encrypted blob and executing embedded shellcode. To complicate analysis, it used API hashing via FNV-1a and dynamic function resolution. A unique feature of PipeMagic was its use of named pipes to transfer encrypted data, bound to the local address 127.0.0.1:8082. Additional modules were retrieved from a domain hosted on Microsoft Azure.
By January 2025, new infections were recorded in Saudi Arabia and Brazil. This time, the loader was a Windows Help file (.mshi) executed through msbuild. It contained obfuscated C# code, RC4 encryption, and subsequent shellcode injection via the WinAPI EnumDeviceMonitor function. In parallel, other vectors were observed: the same fake ChatGPT app compiled in 2024 and reused in 2025, as well as DLL hijacking — swapping out libraries loaded by legitimate executables (for example, GoogleUpdate). In that variant, the malicious DLL decrypted and injected additional code into memory during initialization.
The backdoor retained much of its original architecture: generating random 16-byte pipe names, communicating over 127.0.0.1:8082, and supporting plugin modules. But researchers also found new modules. One handled asynchronous file operations through I/O completion ports, supporting open, read, write, and lock functionality. Another acted as a loader for additional payloads on 64-bit systems, using the exported function DllRegisterService to manage commands. A third module served as an injector, embedding .NET applications and bypassing AMSI by patching the AmsiScanString and AmsiScanBuffer functions, allowing malicious execution to remain undetected by Windows defenses.
Once inside, attackers engaged in lateral movement and credential theft. Telemetry captured one case where ProcDump was launched under the name dllhost.exe to dump the memory of the LSASS process — enabling password extraction and further network traversal. This exact technique was cited by Microsoft in its description of CVE-2025-29824 exploitation.
Analysis of the campaigns showed that in 2025 PipeMagic was used against organizations in multiple countries, retaining most of its original capabilities while gaining new loaders and modules that complicated detection and analysis. A joint investigation by BI.ZONE and Kaspersky Lab traced its path from the first attacks in 2022 to recent incidents in Brazil and Saudi Arabia. Despite no radical changes in the core backdoor, the expanded loader arsenal and auxiliary modules illustrate the operators’ adaptability and determination to strengthen their campaigns’ resilience.