The Play ransomware gang exploited a critical Windows Common Log File System vulnerability (CVE-2025-29824) to gain system privileges and deploy malware in various global organizations. The attacks involved installing backdoors, deploying ransomware, and using custom tools for network reconnaissance and data theft. (Affected: Multiple organizations worldwide, including sectors such as IT, real estate, finance, retail, and government agencies)
Keypoints :
- The Play ransomware gang exploited a high-severity Windows zero-day vulnerability (CVE-2025-29824) to escalate privileges and deploy malware.
- Microsoft linked these attacks to the RansomEXX ransomware group, with malware such as PipeMagic backdoor used to drop exploits and ransomware payloads.
- Symantec confirmed the involvement of the Play ransomware operation after a U.S. organization was breached using the same zero-day, deploying the Grixba infostealer.
- The Grixba tool, associated with Balloonfly, is used for network reconnaissance and stealing information within compromised networks.
- The Balloonfly group has been active since June 2022, frequently deploying the Play ransomware in targeted attacks.
- The FBI, CISA, and Australian Cyber Security Centre issued a joint advisory noting the breach of around 300 organizations globally by the Play gang as of October 2023.
- Notable victims include Rackspace, Arnold Clark, City of Oakland, Dallas County, Antwerp, Microchip Technology, and Krispy Kreme.