- Microsoft saw a changed version of a GITHUB project with malware
- Malware can act as both a back door and an infoTeal
- The group behind it was also seen inserting encrypters
Microsoft has warned of a fake Chatgpt Desktop application circulating online, which actually carries a very modular malware frame that serves as an infosteal and a back door.
In an in -depth report, Microsoft said it observed the framework it called Pipemagic originating at GitHub.
“The first phase of the pipemagic infection performance begins with a malicious dropping in memory disguised as open source chatgpt desktop application project,” the report reads. “The threat actor uses a changed version of the GitHub project, which includes malicious code to decrypt and start an embedded payload in memory.”
A handful of victims
Malware is the work of a threat actor known as Storm-2460, which Microsoft also marked in early April 2025 and abused a zero-day vulnerability in the common log file system to implement the Ransomexx cryptor.
In this case, while the group abused the same error-cve-2025-29824, Microsoft did not indicate which encryption was inserted. Pipemagic seems to have evolved as it was described in the previous report as a simple back door trojan.
Now it is described as a very modular malware frame that allows threat players to perform payload dynamically, maintain sustained control and communicate stealthily with command-and-control servers. It can handle encrypted payroll modules in memory, perform privilege -shelling, collect comprehensive system information and perform arbitrary code through its linked list architecture.
Pipemagic also supports encrypted inter-process communication via named pipes and can self-update by receiving new modules from its C2 infrastructure.
While Microsoft said the number of victims was “limited”, it did not discuss specific numbers. The goals were observed in the United States, across Europe, South America and the Middle East. Most targeted industries include it, financial and real estate.
To mitigate the threat, Microsoft recommended a layered defense strategy that includes activation of manipulation protection and network protection in Microsoft Defender for Endpoint and running endpoint detection and response in block mode, among other things.
