Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824

MITRE Techniques

• [T1090] Proxy: Intra-network – PipeMagic uses a local network interface 127.0.0.1:8082 to interact with named pipes for relaying encrypted payloads and notifications (“…the standard network interface with the IP address 127.0.0.1:8082 is used to interact with the named pipe.”)
• [T1204.002] User Execution: Malicious File – Attackers delivered fake ChatGPT client applications (Rust/Tauri) that executed shellcode when launched (“…a fake ChatGPT client application as bait… when launched, it simply displayed a blank screen” and extracted/decrypted a payload).
• [T1218] Signed Binary Proxy Execution: Msbuild – Attackers executed .mshi via msbuild to run obfuscated C# loader code (“cmd.exe “/k … msbuild.exe c:windowshelpmetafile.mshi””).
• [T1070.004] Indicator Removal on Host: File Deletion – Loaders deploy decrypted code into memory and delete the original payload file after loading (“…the library deploys the decrypted code into memory and transfers control to it, and the original file is subsequently deleted”).
• [T1055] Process Injection – Multiple loaders and modules inject decoded/decrypted shellcode or executables into memory and relocate imports before transferring execution to the payload (“…memory was allocated, necessary offsets in the import table were relocated, and finally, the backdoor’s entry point was called.”).
• [T1547.001] Boot or Logon Autostart Execution: DLL Search Order Hijacking – Attackers used DLL hijacking by placing a malicious DLL alongside a legitimate executable (e.g., Google Chrome update) to execute malicious initialization code in DllMain (“…malicious DLL was placed on the disk alongside the legitimate application… the malicious code was contained in the initialization function (DllMain)”).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Injector module patches AMSI functions AmsiScanString and AmsiScanBuffer in memory to always return safe, bypassing AMSI (“…a stub function is placed in memory that always returns 0 (thus marking the file as safe)”).
• [T1005] Data from Local System – LSASS Memory Dumping – Attackers used ProcDump (renamed to dllhost.exe) to dump LSASS memory to extract credentials (“…use this utility to dump the LSASS process memory into the file specified as the last argument”).
• [T1105] Ingress Tool Transfer – C2 download of modules – PipeMagic downloads plugins/modules from an Azure-hosted C2 domain (hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com) to extend functionality (“…attackers used a domain hosted on the Microsoft Azure cloud provider… to download modules”).