Microsoft has found that now a turning lack of security that affects the usual Windows file file (CLFS) was used as a zero day in ransom attacks aimed at a small number of goals.
“Objectives include organizations in information technology (IT) and US real estate sector, financial sector in Venezuela, Spanish software and retail in Saudi Arabia,” technological giant – Note.
The vulnerability in question is the CVE-2025-29824, the privilege of the escalation in CLF, which can be used to achieve the privileges of the system. It was Redmond’s fixed As part of the patch upgrade on Tuesday for April 2025.
Microsoft monitors the activity and operation of the Post-Compromise Cve-2025-29824 under the nickname Storm-2460, with the threat subjects also use malicious software called Pipemagic to deliver the feat as well as useful loads.
The exact initial access vector used in the attacks is currently unknown. However, the actors of the threat were observed using Certutil utilities to download malicious programs from a third -party legal site, which was previously compromised for useful loads.
Malicious software – it’s malicious File MSBUILD This contains an encrypted useful load, which is then unpacked to launch Pipemagic, Trojan, which has been discovered in the wild since 2022.
It is worth noting here that the CVE-2025-29824-two lack of zero day Windows, which will be delivered via Pipemagic Cve-2025-24983The Windows Win32 subsystem subsystem that was marked by ESET and fixed Microsoft last month.
Previously, Pipemagic was also observed in connection with Nokoyawa ransom attacks that exploit another lack of zero day Clfs (Cve-2023-28252).
“In some other attacks we attribute to the same actor, we also noticed that before using the CLFS height vulnerability, the victim’s machines were infected to order a modular rear backstill – noted In April 2023.
It is important to note that Windows 11, 24H2 version, does not affect this specific operation because access to certain system information classes inside NtquerySteminformation limited to users with Safety privilegethat is usually only Users similar to the administrator can get.
“The expluent is aimed at vulnerability in the CLFS kernel driver,” Microsoft’s intelligence group explained. “The memory corruption and API RTLSETALLBITS are then used to overwrite the 10xfffffff of the 10xffffff of the process, which allows all privileges for the process, which allows you to be injected into system processes.”
Successful exploitation is accompanied by an actor at a threat that takes out the powers of users, dropping the memory of LSASS and file encryption into the system with random expansion.
Microsoft said Ransomexx Family Redemption.
“The ransom threat evaluates the increase in the privileges of feats, because it can allow them to remake their original access, including distributors of commodity malware in privileged access,” Microsoft said. “They then use privileged access to extensive deployment and detonation of compelling programs in the environment.”
