Microsoft has raised an alarm over a new malware campaign where attackers disguised malicious code inside a fake version of the open-source ChatGPT Desktop app. The trojanized application delivered PipeMagic, a modular backdoor linked to ransomware operations, while exploiting a zero-day flaw in Windows Common Log File System (CLFS) tracked as CVE-2025-29824.
Although the genuine ChatGPT Desktop project on GitHub is safe, Microsoft clarified that threat actors cloned the repository, inserted hidden code, and spread altered versions through unofficial channels. Users who downloaded from these compromised sites unknowingly executed the backdoor.
How PipeMagic Works: Modular Design and Stealthy Communication
Unlike traditional malware, PipeMagic operates through a modular architecture. Instead of carrying all features in a single binary, it dynamically loads modules that handle different functions—ranging from command-and-control (C2) communication to payload execution.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
The malware leverages encrypted named pipes and in-memory operations to evade detection. Internally, it organizes tasks through linked lists, where some queues manage pending modules, others handle network exchanges, and one is reserved for dynamic payloads. This design allows attackers to swap or update components without redeploying the backdoor entirely.
For communication, PipeMagic avoids direct C2 connections. Instead, it loads a networking module that establishes WebSocket-style encrypted channels. Through this, it transmits system information—including bot ID, domain details, process integrity, and user context—before executing attacker instructions such as launching ransomware, gathering hashes, enumerating processes, or even renaming itself for self-deletion.
Storm-2460 Behind the Campaign
Microsoft attributed the campaign to Storm-2460, a financially motivated threat group. Recent attacks combined the PipeMagic backdoor with CVE-2025-29824 to escalate privileges and deploy ransomware.
The group has targeted multiple industries, including financial services and real estate, with victims reported in the United States, Europe, South America, and the Middle East. By leveraging zero-day exploits alongside a stealthy modular backdoor, Storm-2460 has demonstrated advanced tradecraft that complicates incident response.
Microsoft has released detection updates across Microsoft Defender and urged organizations to audit systems, patch vulnerabilities, and review third-party software sources. Security experts warn that this campaign underscores how attackers exploit trust in open-source projects to insert malware into enterprise environments.