- Microsoft has seen a modified version of a GitHub project carrying malware
- Malware can be used both as a stolen door and infosteller
- The group behind him was also seen deploying
Microsoft warned against a false desktop office application circulating online which actually carries a very modular malware frame used to infostal and stolen door.
In an in -depth report, Microsoft said he observed the frame he nicknamed Pipemagic, from Github.
“The first step in the execution of the Pipemagic infection begins with a malicious dropper disguised as a project to apply an open source Chatgpt,” said the report. “The threat actor uses a modified version of the GitHub project which includes malicious code to decipher and launch an integrated user load in memory.”
A handful of victims
Malware is the work of a threat player known as Storm-2460, which Microsoft also reported in early April 2025 abusing zero-day vulnerability in the common newspaper file system to deploy the ransomex cryprator.
In this case, while the group abused the same defect-CVE-2025-29824, Microsoft did not declare which cryptor was deployed. Pipemagic seems to have evolved, because in the previous report, it was described as a simple stolen door knight.
Now, it is described as a highly modular malware framework that allows threat stakeholders to dynamically execute the useful charges, maintain persistent control and communicate stealthily with command and control servers. It can manage the encrypted in memory, climbing the privileges, collecting extended system information and executing arbitrary code via its linked list architecture.
Pipemagic also supports inter-processes encrypted via named pipes and can be self-publishing by receiving new modules from its C2 infrastructure.
While Microsoft said that the number of victims was “limited”, he did not discuss concrete numbers. The targets were observed in the United States, through Europe, South America and the Middle East. Most targeted industries include IT, financial and real estate.
To mitigate the threat, Microsoft has recommended a diaper defense strategy, which includes activation of sabotage protection and network protection in Microsoft Defender for termination points and execution of detection and response in block mode, among others.
