Fake ChatGPT App Deploys Powerful Ransomware Backdoor

The ChatGPT Disguise A New Lure for Ransomware

Microsoft has issued a warning about a dangerous trend where cybercriminals are using a counterfeit desktop application for ChatGPT to distribute a potent malware strain. This malicious software, known as PipeMagic, serves as a backdoor for deploying ransomware, targeting a wide array of industries.

The threat actor, tracked by Microsoft as Storm-2460, leverages this deceptive application as part of a sophisticated attack chain that includes a zero-day vulnerability. According to a detailed analysis from Microsoft, the group has already targeted organizations in the information technology, financial, and real estate sectors across the United States, Europe, South America, and the Middle East. Researchers noted that while the number of affected organizations is currently limited, "the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable."

Inside PipeMagic A Sophisticated Backdoor

PipeMagic is not a simple piece of malware. It is a highly modular and flexible backdoor designed for persistence and stealth within a compromised system. Its architecture makes it difficult for traditional security tools to detect. When an unsuspecting user launches the fake ChatGPT application, they are met with a blank screen, while the malware begins its work in the background.

This activity was first highlighted by cybersecurity firm Kaspersky, which reported in October that the malware was being used to steal sensitive data and provide attackers with remote access to infected devices. Kaspersky's team first observed PipeMagic in 2022 and noted a significant resurgence in its use in September 2024.

How the Attack Unfolds From Zero-Day to Ransomware

The attack relies on a zero-day vulnerability tracked as CVE-2025-29824, which was initially discovered by researchers at ESET in March. The vulnerability exists in the Windows Common Log File System Driver (CLFS), a component frequently targeted by ransomware gangs.

The attackers use a modified version of an open-source ChatGPT project from GitHub, embedding malicious code that decrypts and launches the PipeMagic payload. Microsoft explains the process: "Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware."

A Collaborative Discovery Insights from Security Experts

While Microsoft did not specify which ransomware variant was deployed, Kaspersky released a new blog post connecting PipeMagic to a RansomExx ransomware campaign. This connection underscores the severity of the threat, linking the backdoor to a known and destructive ransomware family.

Further industry collaboration has shed more light on the exploit's usage. In May, cybersecurity firm Symantec reported that threat actors associated with the Play ransomware group were also observed using the same CVE-2025-29824 vulnerability in their attacks. This indicates that the exploit is being used by multiple high-profile cybercriminal groups, making the fake ChatGPT delivery method a critical threat for organizations to be aware of.