Dissecting PipeMagic: Inside the architecture of a modular backdoor framework
Essential information
- Published
- 18/08/2025 22:52
- Modified
- 19/08/2025 16:46
- Tags
- 2025-08-18 CVE-2025-29824 backdoor chatgpt clfs modular pipemagic ransomware windows zero-day
- Related entities
- 1 vulnerabilities (cve), 4 observables, 1 intrusion sets (apt), 18 techniques (mitre), 1 malware, 4 others
Description
PipeMagic is a sophisticated modular backdoor used by the Storm-2460 threat actor, disguised as a legitimate ChatGPT Desktop Application. It employs a highly flexible architecture with multiple linked list structures for payload management, execution, and networking. The malware communicates with its command and control server via a dedicated networking module and can dynamically load and execute various payload modules. PipeMagic's design allows for stealthy operation and granular control over compromised hosts, making detection and analysis challenging. The threat actor has targeted multiple sectors across different geographies, using PipeMagic in conjunction with a zero-day exploit to deploy ransomware.