The magical comeback: new PipeMagic activity in Saudi Arabia and Brazil
The backdoor was initially observed in Asia in December 2022 and then detected in Saudi Arabia in late 2024. In 2025, Kaspersky’s Global Research and Analysis Team (GReAT) and our specialists identified new activity associated with the malware.
Recent attacks show sustained interest in Saudi organizations, alongside expansion into new regions, notably Brazil. The researchers tracked the backdoor’s evolution, identified key changes in the adversaries’ tactics, and conducted a technical analysis of CVE‑2025‑29824. This vulnerability was the only one among the 121 patched in April 2025 that was actively exploited by attackers.
By exploiting the vulnerability that stems from a flaw in the logging driver, threat actors were able to escalate their Windows privileges to the local administrator level. This allowed them to steal user credentials and encrypt files within a compromised system.
The researchers also identified updated versions of the PipeMagic loader masquerading as a ChatGPT client. This malware resembles the one used in 2024 attacks on Saudi organizations.
clfs.sys has become an increasingly popular target for cybercriminals, particularly financially motivated actors. They are leveraging zero‑day vulnerabilities in this and other drivers to escalate privileges and conceal post‑exploitation activities. To mitigate such threats, we recommend using EDR tools, which enable both early and post‑exploitation detection of suspicious behavior.
Read the full report on Medium.
BI.ZONE EDR is an advanced endpoint threat detection and response solution. It allows for early stage detection and provides the tools for active manual and automatic response.