Kaspersky and BI.ZONE Uncover New PipeMagic Cyber Campaign Targeting GCC and Latin America
Kaspersky’s Global Research and Analysis Team (GReAT), in collaboration with BI.ZONE Vulnerability Research experts, has reported renewed activity linked to the PipeMagic backdoor, first discovered in December 2022. The malware, which initially surfaced in Asia and later struck Saudi Arabia in late 2024, has now expanded its footprint to manufacturing firms in Brazil, while maintaining a strong focus on Saudi organizations.
Researchers highlighted that the latest attacks incorporate an exploit for Microsoft vulnerability CVE-2025-29824, the only one of 121 flaws patched in April 2025 known to be actively exploited in the wild. The flaw, located in the clfs.sys logging driver, enables privilege escalation and has become an increasingly popular target for cybercriminals.
One 2025 campaign used a Microsoft Help Index File to decrypt and execute shellcode encrypted with the RC4 stream cipher. Once decrypted, the shellcode was executed via the WinAPI EnumDisplayMonitors function, allowing process injection and dynamic resolution of system API addresses.
In addition, Kaspersky and BI.ZONE identified updated PipeMagic loaders disguised as a ChatGPT client, mimicking tactics used in the 2024 Saudi-focused campaign. The loaders share technical traits such as the Tokio and Tauri frameworks, the same libaes library version, and comparable file structures.
> “The reemergence of PipeMagic confirms that this malware remains active and continues to evolve. The 2024 versions introduced enhancements that improve persistence within victims’ infrastructures and facilitate lateral movement within targeted networks,” said Leonid Bezvershenko, Senior Security Researcher at Kaspersky GReAT.
> “In recent years, clfs.sys has become an increasingly popular target for cybercriminals, particularly financially motivated actors. They are leveraging zero-day vulnerabilities in this and other drivers to escalate privileges and conceal post-exploitation activities. To mitigate such threats, we recommend using EDR tools for early and post-exploitation detection of suspicious behavior,” added Pavel Blinnikov, Vulnerability Research Lead at BI.ZONE.
First detected during investigations into a RansomExx-linked campaign in 2022, PipeMagic has proven to be highly adaptable. It operates both as a remote access tool (RAT) and as a network proxy, enabling command execution and persistence. Its continued evolution underscores the growing risks to industrial and financial infrastructures worldwide.