Cybersecurity researchers have identified a sophisticated malware campaign that leverages Microsoft Help Index Files (.mshi) to deliver the PipeMagic backdoor. This development signifies a notable advancement in the tactics employed by threat actors since PipeMagic’s initial detection in 2022.
Throughout 2025, this campaign has targeted organizations in Saudi Arabia and Brazil, showcasing the attackers’ ongoing refinement of their infection methods and persistence strategies.
Background on PipeMagic
PipeMagic first emerged in December 2022 during a RansomExx ransomware campaign aimed at industrial companies in Southeast Asia. The malware gained prominence when it was later found exploiting CVE-2025-29824, a vulnerability that Microsoft identified as being actively exploited in the wild during their April 2025 patch cycle.
The operators of PipeMagic have demonstrated remarkable adaptability, transitioning from exploiting the CVE-2017-0144 vulnerability in their early campaigns to employing more sophisticated social engineering techniques in recent attacks.
Expansion and Evolution
The latest iteration of PipeMagic has expanded its geographical reach, with researchers identifying infections in multiple regions. The malware maintains its core functionality as a versatile backdoor capable of operating in two distinct modes: as a comprehensive remote access tool and as a network gateway for lateral movement within compromised infrastructure.
What distinguishes the 2025 campaign is the attackers’ innovative use of Microsoft Help Index Files as an initial infection vector. These files, typically containing metadata for Microsoft help documentation, have been weaponized to carry obfuscated C# code alongside encrypted payloads. The malicious .mshi files leverage the legitimate MSBuild framework for execution, effectively bypassing traditional security controls that might flag more conventional executable formats.
Advanced Infection Mechanism Through MSBuild Exploitation
The infection chain begins when victims execute the malicious metafile.mshi, which contains heavily obfuscated C# code paired with an extensive hexadecimal string.
The execution occurs through a carefully crafted command line sequence:
“`shell
c:\windows\system32\cmd.exe /k c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe c:\w
“`
The embedded C# code performs dual functions within the infection process. First, it decrypts the accompanying shellcode using the RC4 stream cipher with a hardcoded 64-character hexadecimal key (4829468622e6b82ff056e3c945dd99c94a1f0264d980774828aadda326b775e5).
Following successful decryption, the code executes the shellcode through the Windows API function EnumDeviceMonitor, utilizing a technique that inserts the shellcode pointer into the function’s third parameter while setting the first two parameters to zero.
The decrypted shellcode contains executable code specifically designed for 32-bit Windows systems. It employs sophisticated evasion techniques, including export table parsing and FNV-1a hashing algorithms to dynamically resolve system API addresses, making static analysis considerably more challenging.
The shellcode ultimately loads an unencrypted executable embedded within its own structure, establishing the PipeMagic backdoor’s presence on the compromised system and enabling communication through its characteristic named pipe infrastructure at 127.0.0.1:8082.
Implications and Recommendations
The exploitation of Microsoft Help Index Files to deploy PipeMagic underscores the evolving sophistication of cyber threats. Organizations are advised to implement the following measures to mitigate the risk:
– Regular Software Updates: Ensure that all systems and applications are up-to-date with the latest security patches to protect against known vulnerabilities.
– User Education: Train employees to recognize and avoid suspicious files and links, reducing the likelihood of successful social engineering attacks.
– Advanced Threat Detection: Deploy advanced threat detection solutions capable of identifying and mitigating obfuscated code and unconventional attack vectors.
– Network Monitoring: Implement robust network monitoring to detect unusual activities, such as unauthorized named pipe communications, which may indicate a compromise.
By adopting these proactive measures, organizations can enhance their resilience against sophisticated malware campaigns like those involving PipeMagic.
