In early 2025, cybersecurity researchers identified a critical zero-day vulnerability in Microsoft Windows, designated as CVE-2025-29824. This flaw resides within the Windows Common Log File System (CLFS) driver and enables attackers to escalate privileges from standard user access to full system control. The Play ransomware group, also known as Balloonfly or PlayCrypt, actively exploited this vulnerability before Microsoft released a patch on April 8, 2025.
Discovery and Exploitation
The Symantec Threat Hunter Team uncovered that threat actors associated with the Play ransomware operation targeted an unnamed organization in the United States. The attackers likely gained initial access through a public-facing Cisco Adaptive Security Appliance (ASA). Although no ransomware payload was deployed in this particular intrusion, the attackers utilized a custom information-stealing tool called Grixba, previously linked to the Play ransomware group.
Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) attributed the exploitation activity to a threat group identified as Storm-2460. This group is known for deploying the PipeMagic malware in ransomware campaigns. Their targets included organizations in the United States’ information technology and real estate sectors, Venezuela’s financial sector, a Spanish software company, and Saudi Arabia’s retail sector.
Technical Analysis of the Vulnerability
The CVE-2025-29824 vulnerability affects the CLFS kernel driver, allowing attackers to exploit a use-after-free condition. During the exploit execution, attackers created files in the path C:\ProgramData\SkyPDF, including a DLL that was injected into the winlogon.exe process. This enabled them to extract credentials from the Local Security Authority Subsystem Service (LSASS) memory using tools like Sysinternals’ procdump.exe, create new administrator users, and establish persistence within the compromised system.
Play Ransomware Group’s Tactics
Active since June 2022, the Play ransomware group employs double-extortion tactics, exfiltrating sensitive data before encrypting it. They have developed custom tools like Grixba, which are often disguised as legitimate security software, including fake applications mimicking those from SentinelOne and Palo Alto Networks. The group’s use of a zero-day vulnerability in this instance indicates an escalation in their capabilities, as ransomware actors rarely exploit such vulnerabilities.
Microsoft’s Response and Recommendations
In response to the exploitation, Microsoft released a patch for CVE-2025-29824 as part of its April 2025 Patch Tuesday updates, which addressed a total of 121 vulnerabilities. The company emphasized the importance of applying these security updates promptly, especially for systems running vulnerable versions of Windows. Notably, customers using Windows 11 version 24H2 are not affected by this vulnerability due to existing security mitigations.
Indicators of Compromise (IoCs)
Organizations are advised to monitor for the following IoCs associated with the Play ransomware campaign exploiting CVE-2025-29824:
– Hash: 6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05
– Filename: gt_net.exe
– Description: Grixba infostealer tool
– Detection/Malware Name: Infostealer.Grixba1
Conclusion
The exploitation of CVE-2025-29824 by the Play ransomware group underscores the evolving tactics of cybercriminals and the critical importance of timely software updates. Organizations must remain vigilant, apply security patches promptly, and monitor for indicators of compromise to protect against such sophisticated attacks.
