Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day

At least two ransomware groups exploited the Windows zero-day CVE-2025-29824 before it was patched by Microsoft.

Multiple ransomware groups appear to have exploited a recently patched Windows vulnerability as a zero-day, Symantec reported.

The vulnerability in question is tracked as CVE-2025-29824 and it was patched by Microsoft with its April 2025 Patch Tuesday updates. The flaw impacts the Windows Common Log File System (CLFS) and it can be exploited by an attacker to escalate privileges.

On the day it released the patches, Microsoft revealed that CVE-2025-29824 had been exploited by cybercriminals in attacks aimed at a “small number of targets”, including in the IT and real estate sectors in the US, the financial industry in Venezuela, the retail sector in Saudi Arabia, and a Spanish software firm.

Microsoft attributed the attack to a threat actor it tracks as Storm-2460, which exploited the vulnerability to deploy a piece of malware named PipeMagic, typically used to deploy ransomware. The tech giant found evidence suggesting that the zero-day had been exploited in RansomEXX ransomware attacks.

Symantec revealed on Wednesday that at least one other threat group exploited CVE-2025-29824 before it was patched by Microsoft. The Broadcom threat intelligence unit observed exploitation of the vulnerability against an organization in the United States.

Its analysis showed that the attackers used the flaw to deploy an infostealer named Grixba, which is associated with a threat actor tracked by Symantec as Balloonfly, known for conducting Play ransomware attacks. However, no actual ransomware payload was deployed in the attack. 

Advertisement. Scroll to continue reading.

In the incident seen by Symantec, the hackers may have exploited a Cisco ASA vulnerability for initial access and they then moved laterally on the network before deploying an exploit for CVE-2025-29824.

“The exploit (or similar exploits) may have been in the hands of multiple actors prior to the patching of CVE-2025-29824,” Symantec said. 

“The nature of the exploitation by Storm-2460 appears different from the Balloonfly-linked activity discovered by Symantec. Microsoft said that the exploit had been launched in memory from a dllhost.exe process. The exploitation discovered by Symantec was not fileless,” it added.

Related: Newly Patched Windows Zero-Day Exploited for Two Years

Related: Ransomware Group Claims Attacks on UK Retailers

Related: US Charges Yemeni Man for Black Kingdom Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.