Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced.
Beneath its disguise, PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Once deployed, it can dynamically execute payloads while maintaining robust command-and-control (C2) communication via a dedicated networking module. As the malware receives and loads payload modules from C2, it grants the threat actor granular control over code execution on the compromised host. By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). We attributed PipeMagic to the financially motivated threat actor Storm-2460, who leveraged the backdoor in targeted attacks to exploit this zero-day vulnerability and deploy ransomware. The observed targets of Storm-2460 span multiple sectors and geographies, including the information technology (IT), financial, and real estate sectors in the United States, Europe, South America, and Middle East. While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable.
This blog provides a comprehensive technical deep dive that adds to public reporting, including by ESET Research and Kaspersky. Our analysis reveals the wide-ranging scope of PipeMagic’s internal architecture, modular payload delivery and execution mechanisms, and encrypted inter-process communication via named pipes.
The blog aims to equip defenders and incident responders with the knowledge needed to detect, analyze, and respond to this threat with confidence. As malware continues to evolve and become more sophisticated, we believe that understanding threats such as PipeMagic is essential for building resilient defenses for any organization. By exposing the inner workings of this malware, we also aim to disrupt adversary tooling and increase the operational cost for the threat actor, making it more difficult and expensive for them to sustain their campaigns.
The Russian hacking group known as Gamaredon, or “Shuckworm,” has been making headlines with its sophisticated cyberattacks targeting Western military missions. This group has evolved its tactics, techniques, and procedures (TTPs) to enhance stealth and effectiveness, transitioning from Visual Basic Script (VBS) to PowerShell-based tools. PowerShell is a task automation framework from Microsoft, often used by attackers to execute commands and scripts on Windows systems. This shift, as reported by Symantec, highlights their strategic move to obfuscate, or hide, payloads and leverage legitimate services for evasion. Gamaredon’s recent campaigns have notably involved the use of malicious removable drives, targeting Western military missions in Ukraine with .LNK files that initiate infections upon execution. These developments underscore the group’s persistent threat to geopolitical entities, particularly those related to the Ukrainian military.
Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.
On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7.
UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider" and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.
Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government organization in Southeast Asia. As described in the first part of this report, we identified at least three distinct clusters of intrusion activity present in the organization’s network from at least March 2023 through December 2023.
The three security threat activity clusters—which we designated as Alpha (STAC1248), Bravo (STAC1870), and Charlie (STAC1305) – are assessed with high confidence to operate on behalf of Chinese state interests. In this continuation of our report, we will provide deeper technical analysis of the three activity clusters, including the tactics, techniques, and procedures (TTPs) used in the campaign, aligned to activity clusters where possible. We also provide additional technical details on prior compromises within the same organization that appear to be connected to the campaign.
Foreign nation-state cyber adversaries are tenacious. Their attacks are evolving to get around the industry’s most sophisticated defenses. Last year was exploitation of routers, and this year’s theme has been compromise of edge protection devices.
MITRE, a company that strives to maintain the highest cybersecurity possible, is not immune.
Despite our commitment to safeguarding our digital assets, we’ve experienced a breach that underscores the nature of modern threats. In this blog post, we provide an initial account of the incident, outlining the tactics, techniques, and procedures (TTPs) employed by the adversaries, as well as some of our ongoing incident response efforts and recommendations for future steps to fortify your defenses.
Within Rapid7 Labs we continually track and monitor threat groups. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.
The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact.
This blog post provides a detailed look at the TTPs of a ransomware affiliate operator. In this case, the endpoint had been moved to another infrastructure (as illustrated by various command lines, and confirmed by the partner), so while Huntress SOC analysts reported the activity to the partner, no Huntress customer was impacted by the ransomware deployment.
Discover the techniques, tactics (TTPs) used by Scattered Spider intrusion set, including social engineering and targeted phishing campaigns.
Microsoft detected a unique operation where threat actors carried out destructive actions in both on-premises and cloud environments.
Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services
We have been seeing notable changes to TTPs used in GOOTLOADER operations since 2022.
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include:
KillNet will continue to grow as the war in Ukraine continues, but the group is limited in its capabilities.
We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks.
