Microsoft has issued a warning regarding a fraudulent ChatGPT desktop application that is spreading online. This application contains the PipeMagic malware, identified as a highly modular framework functioning as both an infostealer and a backdoor.
According to a detailed report by Microsoft, the PipeMagic framework originated on GitHub. The report states, “The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project.” This involves threat actors utilizing a modified version of the GitHub project, which incorporates malicious code designed to decrypt and launch an embedded payload directly into memory.
The malware is attributed to a threat actor known as Storm-2460. Microsoft previously identified Storm-2460 in early April 2025 for exploiting a zero-day vulnerability in the Common Log File System (CVE-2025-29824) to deploy the RansomEXX encryptor. This vulnerability is again being exploited in the PipeMagic campaign. While Microsoft confirmed the continued abuse of CVE-2025-29824, the company did not specify whether the same encryptor was deployed in this instance. The report emphasizes PipeMagic’s evolution from a basic backdoor trojan into a complex malware framework.
The current iteration of PipeMagic is characterized by its modular design, which grants threat actors the ability to dynamically execute payloads, maintain persistent control over compromised systems, and communicate covertly with command-and-control servers. Its capabilities include managing encrypted payload modules within memory, performing privilege escalation, collecting extensive system information, and executing arbitrary code using its linked list architecture.
PipeMagic also facilitates encrypted inter-process communication through named pipes. Furthermore, the malware can self-update by receiving new modules from its command-and-control infrastructure, allowing for continuous refinement and adaptation.
While the number of victims is described as “limited” by Microsoft, specific figures were not disclosed. The observed targets are located in the United States, across Europe, South America, and the Middle East. The industries most frequently targeted include information technology, financial services, and real estate.
To mitigate the threat posed by PipeMagic, Microsoft recommends implementing a layered defense strategy. This includes enabling tamper protection and network protection within Microsoft Defender for Endpoint. Additionally, Microsoft advises running endpoint detection and response in block mode, alongside other security measures.
