Kinetic Potential Blog

Cybersecurity researchers have lifted the lid on the threat actors' exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks.

The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE said in a joint report published today.

PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, capable of acting as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts.

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure.

"The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report.

ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it's assessed to be an evolution of Cerberus and BlackRock.

Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations.

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure.

"The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report.

ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it's assessed to be an evolution of Cerberus and BlackRock.

Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations.