Some malware families fade after one flashy campaign. Not PipeMagic. Since its first sighting in 2022 bundled with RansomExx ransomware, this backdoor has resurfaced in Saudi Arabia (2024) and most recently in Brazil(2025). Each time it comes back, it learns a new trick.
And in its latest act? It rides in on the coattails of CVE-2025-29824, a Windows vulnerability that Microsoft rushed to patch in April.
Key Findings
Pipe Magic doesn’t knock on the front door; it shapeshifts to get inside
- 2022: Disguised as Rufus, the USB formatting tool.
- 2024: Masquerading as a fake ChatGPT app built in Rust (it only showed a blank screen, but behind the curtain, it dropped shellcode).
- 2025: A triple act:
- .mshi Help File loader launched with MSBuild.
- DLL hijacking planting a rogue DLL next to legitimate apps like Google Chrome updater.
- Polished ChatGPT loaders returning for an encore.
Talking Through Pipes
PipeMagic’s stage is Windows internals. Its communication method is clever:
- It spawns named pipes like \\.\pipe\magic3301 or random 16-byte variations.
- It chats with itself via 127.0.0.1:8082 before exfiltrating data.
- Plugins get pulled from Azure cloud infrastructure, giving it the cover of legitimate services.
The New Tricks (2025 Edition)
This year’s campaign brought new supporting modules:
- Asynchronous File Handler – Reads, writes, and manipulates files like a stealthy sysadmin.
- Loader – Injects 64-bit payloads and listens on test_pipe20.
- Injector – Launches .NET payloads, patches AMSI to make malware “look clean,” and even checks the victim’s.NET version before running.
Once inside, PipeMagic doesn’t just steal the show it steals credentials from LSASS. Attackers used a renamedprocdump.exe (dllhost.exe) to dump memory, harvest passwords, and move laterally.
CVE-2025-29824
- Vulnerability: Exploited by PipeMagic in recent campaigns.
- Type: Privilege escalation / credential dumping vector.
- Exploitation: Observed in-the-wild at time of Microsoft’s April 2025 Patch Tuesday release.
- Linkage: Directly tied to the PipeMagic operators’ use of ProcDump for credential extraction.
Indicators of Compromise (IOCs)
File Hashes
- ChatGPT loader (2024–2025): 60988c99fb58d346c9a6492b9f3a67f7, 7e6bf818519be0a20dbc9bcb9e5728c6
- .mshi loader: 5df8ee118c7253c3e27b1e427b56212c
- DLL hijacking sample: e3c8480749404a45a61c39d9c3152251
- PipeMagic core backdoor: 1a119c23e8a71bf70c1e8edf948d5181
C2 Infrastructure
- hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com
Pipe Names
- \\.\pipe\magic3301
- \\.\pipe\test_pipe20.%d
- \\.\pipe\0104201.%d
Detection & Hunting Guidance
- Endpoint Monitoring:
- Look for suspicious use of MSBuild.exe executing .mshi files.
- Detect DLL hijacking attempts involving legitimate binaries (GoogleUpdate.exe, Chrome updater).
- Monitor creation of suspicious named pipes (\\.\pipe\magic*, \\.\pipe\test_pipe*).
- Watch for ProcDump masquerading as dllhost.exe.
- Memory & Process Analysis:
- Flag unusual API hashing techniques (FNV-1a).
- Identify AMSI bypass attempts (patching AmsiScanString / AmsiScanBuffer).
- Network Indicators:
- Block suspicious Azure cloud domains linked to malware activity.
- Look for local traffic on 127.0.0.1:8082 used for internal backdoor communication.
Mitigation & Recommendation
- Patch Management
- Apply Microsoft’s April 2025 updates addressing CVE-2025-29824 immediately.
- Application Control
- Restrict execution of unauthorized binaries (e.g., fake ChatGPT apps, unverified utilities).
- Credential Protection
- Enable LSASS credential guard and restrict access to LSASS memory.
- Monitor for unauthorized use of procdump.exe or renamed binaries.
- Network Security
- Implement strict outbound filtering to prevent C2 communications over cloud-hosted domains.
- Threat Hunting
- Regularly scan for PipeMagic IOCs across endpoints and servers.
- Use YARA/Sigma rules for detecting malicious loaders and backdoor modules.
.png)
.png)