{
	"id": "2c714d3d-1f9d-4eed-b9c8-0fcd2b1d6cb0",
	"created_at": "2026-04-06T00:11:46.508667Z",
	"updated_at": "2026-04-10T13:12:52.576143Z",
	"deleted_at": null,
	"sha1_hash": "9c6cd615d710991e6b5418d11e6b3c1fd8d11df6",
	"title": "Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99395,
	"plain_text": "Exploitation of CLFS zero-day leads to ransomware activity | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-04-08 · Archived: 2026-04-02 12:44:22 UTC\r\nMicrosoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System\r\n(CLFS) against a small number of targets. The targets include organizations in the information technology (IT) and real\r\nestate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in\r\nSaudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824, on April 8,\r\n2025.\r\nIn addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware.\r\nMicrosoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware.\r\nRansomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate\r\ninitial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged\r\naccess for widespread deployment and detonation of ransomware within an environment. Microsoft highly recommends that\r\norganizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against\r\nransomware attacks if threat actors are able to gain an initial foothold.\r\nThis blog details Microsoft’s analysis of the observed CLFS exploit and related activity targeting our customers. This\r\ninformation is shared with our customers and industry partners to improve detection of these attacks and encourage rapid\r\npatching or other mitigations, as appropriate. A more comprehensive recommendations section, with indicators of\r\ncompromise and detection details can be found at the end of the blog post.\r\nCVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)\r\nThe exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel\r\ndriver. Successful exploitation allows an attacker running as a standard user account to escalate privileges. The vulnerability\r\nis tracked as CVE-2025-29824 and was fixed on April 8, 2025.\r\nPre-exploitation activity\r\nWhile Microsoft hasn’t determined the initial access vectors that led to the devices being compromised, there are some\r\nnotable pre-exploitation behaviors by Storm-2460. In multiple cases, the threat actor used the certutil utility to download a\r\nfile from a legitimate third-party website that was previously compromised to host the threat actor’s malware.\r\nThe downloaded file was a malicious MSBuild file, a technique described here, that carried an encrypted malware payload.\r\nOnce the payload was decrypted and executed via the EnumCalendarInfoA API callback, the malware was found to be\r\nPipeMagic, which Kaspersky documented in October 2024. Researchers at ESET have also observed the use of PipeMagic\r\nin 2023 in connection with the deployment of a zero-day exploit for a Win32k vulnerability assigned CVE-2025-24983. A\r\ndomain used by the PipeMagic sample was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which has now been disabled by\r\nMicrosoft.\r\nCLFS exploit activity\r\nFollowing PipeMagic deployment, the attackers launched the CLFS exploit in memory from a dllhost.exe process.\r\nThe exploit targets a vulnerability in the CLFS kernel driver. It’s notable that the exploit first uses the\r\nNtQuerySystemInformation API to leak kernel addresses to user mode. However, beginning in Windows 11, version 24H2,\r\naccess to certain System Information Classes within NtQuerySystemInformation became available only to users with\r\nSeDebugPrivilege, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows\r\n11, version 24H2, even if the vulnerability was present.\r\nThe exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process’s token with the\r\nvalue 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.\r\nAs part of the exploitation, a CLFS BLF file with the following path is created by the exploit’s dllhost.exe process:\r\nC:\\ProgramData\\SkyPDF\\PDUDrv.blf.\r\nPost-exploitation activity leads to ransomware activity\r\nUpon successful exploitation, a payload is injected into winlogon.exe. This payload then injected the Sysinternals\r\nprocdump.exe tool into another dllhost.exe and ran it with the following command line:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/\r\nPage 1 of 4\n\nC:\\Windows\\system32\\dllhost.exe -accepteula -r -ma lsass.exe c:\\programdata\\[random letters].\r\nHaving done this, the actor was able to dump the memory of LSASS and parse it to obtain user credentials.\r\nThen, Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a\r\nransom note with the name !_READ_ME_REXX2_!.txt was dropped. Microsoft is tracking activity associated with this\r\nransomware as Storm-2460.\r\nAlthough we weren’t able to obtain a sample of ransomware for analysis, we’re including some notable events surrounding\r\nthe activity to better help defenders:\r\nTwo .onion domains have been seen in the !_READ_ME_REXX2_!.txt ransom notes\r\njbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion which has been tied to the RansomEXX\r\nransomware family\r\nuyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion\r\nThe ransomware is launched from dllhost.exe with the command line:\r\n--do [path_to_ransom] (for example, C:\\Windows\\system32\\dllhost.exe --do C:\\foobar)\r\nThe file extension on the encrypted files is random per device, but the same for every file\r\nSome typical ransomware commands that make recovery or analysis harder are executed, including:\r\nbcdedit /set {default} recoveryenabled no\r\nwbadmin delete catalog -quiet\r\nwevtutil cl Application\r\nIn one observed case the actor spawned notepad.exe as SYSTEM\r\nMitigation and protection guidance\r\nMicrosoft released security updates to address CVE 2025-29824 on April 8, 2025. Customers running Windows 11, version\r\n24H2 are not affected by the observed exploitation, even if the vulnerability was present. Microsoft urges customers to apply\r\nthese updates as soon as possible.\r\nMicrosoft recommends the following mitigations to reduce the impact of activity associated with Storm-2460:\r\nRefer to our blog Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself\r\nfor robust measures to defend against ransomware.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of\r\nnew and unknown variants.\r\nUse device discovery to increase your visibility into your network by finding unmanaged devices on your network\r\nand onboarding them to Microsoft Defender for Endpoint. Ransomware attackers often identify unmanaged or legacy\r\nsystems and use these blind spots to stage attacks.\r\nRun EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR\r\nin block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take\r\nimmediate action on alerts to resolve breaches, significantly reducing alert volume. Use Microsoft Defender\r\nVulnerability Management to assess your current status and deploy any updates that might have been missed.\r\nMicrosoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques\r\nused in ransomware attacks:\r\nUse advanced protection against ransomware\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated\r\nprotection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and\r\nrespond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threats associated with this activity as the following malware:\r\nSilverBasket (Win64/Windows)\r\nMSBuildInlineTaskLoader.C (Script/Windows)\r\nSuspClfsAccess (Win32/Windows)\r\nhttps://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/\r\nPage 2 of 4\n\nMicrosoft Defender for Endpoint\r\nThe following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered\r\nby unrelated threat activity.\r\nA process was injected with potentially malicious code\r\nPotential Windows DLL process injection\r\nSuspicious access to LSASS service\r\nSensitive credential memory read\r\nSuspicious process injection observed\r\nFile backups were deleted\r\nRansomware behavior detected in the file system\r\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following pre-built\r\npromptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft\r\nSentinel.\r\nHunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.\r\nSearch for devices having CVE-2025-29814 exposure\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId in (\"CVE-2025-29814\")\r\n| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,\r\nCveId,VulnerabilitySeverityLevel\r\n| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId,\r\nCvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware\r\n) on CveId\r\n| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,\r\nCveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware\r\nDetect CLFS BLF file creation after exploitation of CVE 2025-29824\r\nDeviceFileEvents\r\n| where FolderPath has \"C:\\\\ProgramData\\\\SkyPDF\\\\\" and FileName endswith \".blf\"\r\nLSSASS process dumping activity\r\nSecurityEvent\r\n| where EventID == 4688\r\n| where CommandLine has(\"dllhost.exe -accepteula -r -ma lsass.exe\")\r\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\r\nRansomware process activity\r\nhttps://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/\r\nPage 3 of 4\n\nlet cmdlines = dynamic([\"C:\\\\Windows\\\\system32\\\\dllhost.exe --do\",\"bcdedit /set {default} recoveryenabled\r\nno\",\"wbadmin delete catalog -quiet\",\"wevtutil cl Application\"]);\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_any (cmdlines)\r\n| project TimeGenerated, DeviceName, ProcessCommandLine, AccountDomain, AccountName\r\nPipeMagic and RansomEXX fansomware domains\r\nlet domains =\r\ndynamic([\"aaaaabbbbbbb.eastus.cloudapp.azure.com\",\"jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion\",\"uyhi3ypdkfeymyf5v35pb\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any (domains)\r\n| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP,\r\nRemoteIPType, RemotePort, RemoteUrl\r\nIndicators of compromise\r\nIndicator Type Description\r\nC:\\ProgramData\\SkyPDF\\PDUDrv.blf Path Dropped during CLFS exploit\r\nC:\\Windows\\system32\\dllhost.exe –do Command line Injected dllhost\r\nbcdedit /set {default} recoveryenabled no Command line Ransomware command\r\nwbadmin delete catalog -quiet Command line Ransomware command\r\nwevtutil cl Application Command line Ransomware command\r\naaaaabbbbbbb.eastus.cloudapp.azure[.]com Domain Used by PipeMagic\r\nReferences\r\nhttps://blog.talosintelligence.com/building-bypass-with-msbuild/\r\nhttps://www.kaspersky.com/about/press-releases/kaspersky-uncovers-pipemagic-backdoor-attacks-businesses-through-fake-chatgpt-application  \r\nhttps://x.com/ESETresearch/status/1899508656258875756\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://x.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/"
	],
	"report_names": [
		"exploitation-of-clfs-zero-day-leads-to-ransomware-activity"
	],
	"threat_actors": [
		{
			"id": "05d2bdcf-828b-4651-8b64-44bc3bbc0e7f",
			"created_at": "2025-05-29T02:00:03.193839Z",
			"updated_at": "2026-04-10T02:00:03.850386Z",
			"deleted_at": null,
			"main_name": "Storm-2460",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-2460",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "07775b09-acd9-498e-895f-f10063115629",
			"created_at": "2024-06-04T02:03:07.817613Z",
			"updated_at": "2026-04-10T02:00:03.650268Z",
			"deleted_at": null,
			"main_name": "GOLD DUPONT",
			"aliases": [
				"Sprite Spider ",
				"Storm-2460 "
			],
			"source_name": "Secureworks:GOLD DUPONT",
			"tools": [
				"777",
				"ArtifactExx",
				"Cobalt Strike",
				"Defray",
				"Metasploit",
				"PipeMagic",
				"PyXie",
				"Shifu",
				"SystemBC",
				"Vatet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434306,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c6cd615d710991e6b5418d11e6b3c1fd8d11df6.pdf",
		"text": "https://archive.orkl.eu/9c6cd615d710991e6b5418d11e6b3c1fd8d11df6.txt",
		"img": "https://archive.orkl.eu/9c6cd615d710991e6b5418d11e6b3c1fd8d11df6.jpg"
	}
}