الرئيس التنفيذي
أشرف الحادي

رئيس التحرير
فاطمة مهران

The magical comeback: Kaspersky and BI.ZONE report new PipeMagic activity in the GCC and Latin America

Kaspersky’s Global Research and Analysis Team (GReAT) in collaboration with BI.ZONE Vulnerability Research experts, observed new 2025 activity associated with the PipeMagic backdoor originally discovered in December 2022. The backdoor has expanded its attack geography: initially observed in Asia, and afterwards detected in Saudi Arabia in late 2024. Recent attacks show sustained interest in Saudi organizations, alongside expansion into new regions, notably manufacturing companies in Brazil.
The researchers tracked the malware’s evolution, identified key changes in the operators’ tactics, and conducted a technical analysis of Microsoft vulnerability CVE-2025-29824. This vulnerability was the only one among the 121 patched in April 2025 that was actively exploited in the wild. It was specifically targeted by an exploit integrated into the PipeMagic infection chain. The vulnerability allowed privilege escalation in the operating system due to a flaw in the clfs.sys logging driver.
One of the 2025 campaign attacks leveraged a Microsoft Help Index File, which serves two purposes: decrypting and executing shellcode. The shellcode is encrypted using the RC4 stream cipher with a hexadecimal key. Once decrypted, the code is executed via the WinAPI EnumDisplayMonitors function, allowing dynamic resolution of system API addresses through process injection.
Researchers also identified updated versions of the PipeMagic loader masquerading as a ChatGPT client. This application resembles the one used in the 2024 attacks on Saudi organizations — sharing the same Tokio and Tauri frameworks, the same libaes library version, and demonstrating similar file structures and behavior.
“The reemergence of PipeMagic confirms that this malware remains active and continues to evolve. The 2024 versions introduced enhancements that improve persistence within victims’ infrastructures and facilitate lateral movement within targeted networks,” comments Leonid Bezvershenko, senior security researcher at Kaspersky GReAT.
“In recent years, clfs.sys has become an increasingly popular target for cybercriminals, particularly financially motivated actors. They are leveraging zero-day vulnerabilities in this and other drivers to escalate privileges and conceal post-exploitation activities. To mitigate such threats, we recommend using EDR tools, which enable both early and post-exploitation detection of suspicious behavior,” notes Pavel Blinnikov, Vulnerability Research Lead, BI.ZONE.
PipeMagic is a backdoor first discovered by Kaspersky in 2022 during an investigation into a malicious campaign involving RansomExx. Victims at the time included industrial companies in Southeast Asia. The attackers exploited the CVE-2017-0144 vulnerability to gain access to internal infrastructure. The backdoor supports two operational modes — functioning either as a full-featured remote access tool or as a network proxy, enabling execution of a wide range of commands. In October 2024, a new iteration of PipeMagic was observed in attacks against organizations in Saudi Arabia, using a fake ChatGPT agent application as a lure.
Read the full report on Securelist.com.

Related Posts:

Velents Unveils Agent.sa, A Groundbreaking Arabic AI Employee with $1.5M Investment

PAFIX 2025 to Launch Its 12th Edition Exploring the Future of Digital Payments in November

وزارة الأوقاف تطلق مسابقة الأئمة النجباء (دوري الأئمة) بجميع المديريات

HUAWEI FreeBuds 7i: A new generation of noise-cancelling wireless earphones Soon in Egypt

Al Baraka Bank Egypt fully acquires Amlak Finance Egypt from Amlak Finance PJSC (UAE

APEC 2025 to Commence Tomorrow in South Korea with the Participation of Leaders of Member Economies

talabat ,Commercial International Bank, and Mastercard to Launch a new Credit Card Tailored to the Digital Generation in Egypt

آخر الأخبار
وزير الإسكان يتابع سير العمل بقطاع التخطيط والمشروعات بهيئة المجتمعات العمرانية Velents Unveils Agent.sa, A Groundbreaking Arabic AI Employee with $1.5M Investment الصحة: إنقاذ ناجح لسائحة إسبانية أصيبت داخل هرم سنفرو المنحني بدهشور فيلينتس» تطلق «agent.sa» كأول موظف ذكاء اصطناعي عربي متكامل وزير الاستثمار يبحث مع السفير البريطاني بالقاهرة سبل دعم الشراكة الاقتصادية بين البلدين حقيقة وفاة الأميرة هيفاء آل سعود وتفاصيل البيان الرسمي عروض موبايلي السعودية 2025 وباقات الإنترنت والمكالمات الجديدة رسميًا أسعار العملات الرقمية اليوم في السعودية وتحديث فوري لأبرز 20 عملة الصحة: إنقاذ ناجح لسائحة إسبانية أصيبت داخل هرم سنفرو المنحني بدهشور وزيرة التنمية المحلية تبحث نتائج برنامج التنمية المحلية بصعيد مصر مع لجنة التقييم المستقل للبنك الدو... وزير الزراعة يعلن رسميًا فتح السوق الفنزويلي أمام صادرات مصر من الرمان الطازج وزارة العمل تنشر نتائج حملات تفتيش على 721 منشأة خلال أسبوع واحد فقط الأرصاد الجوية تكشف تفاصيل طقس مصر اليوم الإثنين كاظم الساهر يحيي حفلا غنائيا في الأردن آمال ماهر وبهاء سلطان يحييان حفلا غنائيا في قصر القبة 28 نوفمبر رئيس اتحاد مقاولي الدول الإسلامية يبحث تفعيل أولوية المقاولين مع البنك الإسلامي للتنمية PAFIX 2025 to Launch Its 12th Edition Exploring the Future of Digital Payments in November "انطلاق الدورة الـ12 لمعرض ومؤتمر PAFIX في نوفمبر" محمد رمضان يشعل حفل القرية العالمية في دبي منتخب مصر للناشئين يواجه منتخب مصر ودياً اليوم استعداداً لكأس العالم