Storm-2460 Leverages CLFS Zero-Day Exploit to Deploy Ransomware via PipeMagic Malware

Microsoft has recently discovered a zero-day vulnerability in the Windows CLFS kernel driver being exploited in targeted attacks. The attack, attributed to the Storm-2460 threat actor, involves the use of the PipeMagic malware, which is deployed post-compromise. Microsoft promptly released a security update on April 8, 2025, to mitigate this issue. This discovery underscores the importance of timely patching and robust cybersecurity measures to defend against advanced attacks.

Severity Level: High

Threat Overview:

1. Vulnerability Details

• CVE ID: CVE-2025-29824
• CVSS Score: 7.8
• Description: The vulnerability in the Common Log File System (CLFS) kernel driver allows attackers running under standard user privileges to escalate to higher privileges. This could lead to system-level access, enabling the attackers to control compromised systems.
• Affected Products: Microsoft Windows Workstation and Server Products

2. Pre-Exploitation Behavior

• The threat actor used certutil to download malicious files from compromised third-party websites. These files were MSBuild-based and carried encrypted malware payloads, leading to the execution of PipeMagic malware.

3. Malware Deployment and Exploitation

• Initial access vector not known.
• After initial compromise, Storm-2460 used PipeMagic malware to exploit the CLFS bug. This malware was used to gain elevated privileges, allowing further exploitation and the deployment of ransomware.
• The PipeMagic malware first appeared in October 2024, and it was used in other campaigns, including a previous zero-day exploit in the Win32k vulnerability (CVE-2025-24983).

4. Post-Exploitation:

• Once the attackers gained privileged access via the CLFS exploit, they injected additional malicious payloads, including procdump.exe, into system processes such as winlogon.exe and dllhost.exe.
• The malware conducted memory dumping and credential theft via LSASS (Local Security Authority Subsystem Service).
• Ransomware deployment followed, locking files on the system and blocking recovery efforts through commands such as wevtutil cl Application and wbadmin delete catalog -quiet to erase event logs and backup data.
• The files had a random extension added, and a ransom note titled !READ_ME_REXX2!.txt was dropped.
• The ransomware utilized two .onion domains, linked to the RansomEXX ransomware family, for communication.

Recommendations:

1. Ensure that all systems, especially those running affected versions of Windows, are updated with the latest security patches released by Microsoft. The patch for CVE-2025-29824, which addresses the CLFS vulnerability, was released on April 8, 2025.
2. Monitor for the creation of CLFS BLF files that are associated with exploitation.
   Indicator: FolderPath = C:\ProgramData\SkyPDF\ and FileName endswith “.blf”
3. Monitor for suspicious command-line activity involving dllhost.exe and lsass.exe.
   The following command line execution can be an indicator of ransomware activity: dllhost.exe –do
4. Monitor for unusual file system modifications, including file encryption or renaming with random extensions. Look for the appearance of ransom notes like !READ_ME_REXX2!.txt.
5. Monitor for commands that delete logs or backup data, such as:
   bcdedit /set {default} recoveryenabled no
   wbadmin delete catalog -quiet
   wevtutil cl Application
6. Enable Attack Surface Reduction (ASR) rules in Microsoft 365 Defender or your endpoint protection system to mitigate common ransomware techniques such as DLL injection, memory dumping, and credential theft.
7. Review and restrict the use of administrative privileges across your network. Ensure users only have the minimum privileges necessary for their roles.
8. Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/5bba2a97d9bee2eef91c210156fbc52d75ac82b4cc1a0a98d03cd2108d74a26f/iocs

Sources:

• https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.