Modular ‘PipeMagic’ backdoor used to deploy ransomware

Microsoft researchers have detailed a modular backdoor framework called “PipeMagic,” used by threat actors to stealthily deploy ransomware.

PipeMagic is used by the threat group known as Storm-2460 and is spread through impersonation of a legitimate open-source ChatGPT desktop application tool, according to a Microsoft blog post published Monday.

When the malware is installed, a modified version of the ChatGPT application decrypts and launches the embedded PipeMagic payload, which sets the stage for modular follow-on payload delivery via named pipes and doubly linked list structures.

A linked list of raw payload modules is populated through the creation of a named pipe that the malware continuously listens on. The name of the pipe includes a randomly generated 16-byte bot ID unique to the infected system.

When a new payload module is delivered through the pipe, the malware allocates memory and adds the payload contents to the designated linked list. Payload modules that are loaded into memory and ready to be executed are also added to a separate linked list.

A networking module is also established to facilitate indirect communications with the attacker’s command-and-control (C2) server over the Transmission Control Protocol (TCP). When communication with the C2 is first established, the malware collects comprehensive system information and transmits it back to the C2 via the network module.

Afterward, the backdoor receives processing commands from the C2 server, with the processing code 0x1 used to direct core backdoor operations with granular control. This includes delivery of new modules, loading and execution of payload modules, deletion of modules, retrieval of system data and more.

Microsoft observed the delivery of PipeMagic as part of staging activities prior to exploitation of the Windows Common Log File System privilege escalation vulnerability tracked as CVE-2025-29824. Once PipeMagic was set up on the system, Storm-2460 would use the flaw to escalate privileges and ultimately deploy their ransomware using the pipe delivery system.

The use of modular architecture, indirect C2 communications and transmission of payloads through inter-process pipes enhances the stealth and flexibility of the backdoor, making it more difficult to detect via traditional network detection methods.  

Storm-2460 is known to target organizations in the information technology (IT), financial and real estate sectors, with victims located in the United States, Europe, South America and the Middle East, according to Microsoft.

The researchers recommend mitigations including the use of fully automated investigation and remediation features that allow for immediate action to combat infections while reducing alert volumes. Cloud-based and machine learning (ML)-driven protections are also recommended as a way to help block new and unknown threats.

The C2 domain used in PipeMagic infections, which was hosted on Azure Cloud Services, has been disabled my Microsoft.

Earlier this month, Cisco Talos reported on another modular malware framework known as PS1Bot, which controlled PowerShell payload executions through modules delivered from an external server.  

Microsoft noted that Kaspersky and ESET have previously reported on the PipeMagic campaign, in October 2024 and March 2025, respectively.