Threat Landscape Update: Ransomware-as-a-Service and Advanced Modular Malware

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello, and welcome to yet another episode of the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft, and I am joined by three of my esteemed Microsoft colleagues for an exciting episode today, talking about PipeMagic, a tool on threat landscape, and Medusa ransomware. With me, I have Security Engineer at Microsoft, Chuong Dong, Security Researcher, Anna Seitz, and Security Researcher, Tori Murphy. Thank you all for joining me.

Chuong Dong: And thank you for having me.

Tori Murphy: Thank you.

Anna Seitz: Thank you.

Sherrod DeGrippo: So let's start with PipeMagic. This is a backdoor. It's been used by a threat actor group we're tracking, a Storm-2460. And it's kind of spooky because it looks like it's pretending to be an open-source ChatGPT application. Give me a little background on what that looks like, especially from a victim perspective. Anna, what are we seeing here?

Anna Seitz: Yeah, so we can jump right into this. Basically, PipeMagic is attributed to the financially-motivated threat actor Storm-2460, and this group has leveraged the backdoor and targeted attacks to exploit actually a zero-day vulnerability to deploy ransomware. So they exploited CBE 2025-29824. This threat actor, the observed targets can span multiple sectors, and this includes IT, financial, real estate, especially in the United States, Europe, South America, and the Middle East.

Sherrod DeGrippo: That's really interesting. So I may have mentioned on this podcast before, or to anyone who will listen, I am an obsessive ChatGPT user. I have sort of reconfigured my entire life to leverage ChatGPT, not just professionally, but also in all of my personal life. It is basically my new best friend. Well, actually, I'll take that back. We've been best friends for a couple of years now. But help me understand when it says it's masquerading as a ChatGPT app, is this something people can download somewhere and it turns out that it's this backdoor?

Anna Seitz: I'm going to pass that over to Chuong because there's a lot of technical components of this one.

Sherrod DeGrippo: Choung, tell us what exactly is going on with this backdoor.

Chuong Dong: So when we were trying to release a blog on this, we had to kind of tiptoe around mentioning ChatGPT because ultimately, we don't want our customer to freak out and say that, oh yeah, like OpenAI or ChatGPT got compromised and now they are shipped with malware. That wasn't the case. So this, which is a public GitHub repository where they coded a desktop application that allows you to interact with ChatGPT on your own desktop. And so, the malicious actor, they just pull down the code in the public repo, and they inject their malicious code inside to ultimately drop PipeMagic in memory, right? So, yeah, this is not something that the normal user can just download from GitHub or something, right? This is very targeted. They pull down the code, they modify the code, they generate an executable with that, and then they drop it on the victim's infected machine.

Sherrod DeGrippo: So just to be clear for everyone listening, I'm sorry that I wasn't super clear on that, but this is not an issue with ChatGPT or OpenAI. This is, as we see with a lot of popular brands or popular software packages, threat actors go and they slap a logo on their malware. They pretend that -- they send an email that says it's from the shipping company when it's really a threat actor campaign. So just to be clear, this is something that is not an issue with ChatGPT or OpenAI. This is someone leveraging that brand to get people to download it. What exactly is PipeMagic?

Chuong Dong: Yeah, I guess I could go into a little bit of the technical details. So ultimately, it's a backdoor, right? And what a backdoor is is basically it's just malware sitting on your machines that allows the threat actor to sit from their command control server and interact with your system in a malicious way. And what is special about this PipeMagic malware is that it's a modular backdoor. And I can go into the difference of these two. So when you have a regular backdoor malware, you only have a specific set of backdoor capabilities coded directly into the malware, right? So the thread actor can sit at the C2 server, can send backdoor codes to command the backdoor to perform one of those specific tasks, right? So it's very limited in the number of tasks being coded directly into the malware. Now, modular backdoor, like PipeMagic, It allows threat actor to constantly update the backdoor on the fly, right? They can send backdoor module code to the backdoor over the network, and the backdoor will then self-update in memory to add the new code to itself. So it can continuously update itself with new code that threat actors send it, which is kind of sneaky and very sophisticated.

Sherrod DeGrippo: Let me ask you from -- I know you've been doing this a long time. You recently joined Microsoft. You're a pretty experienced reverse engineer. From an overall landscape perspective, we've heard for, I don't know, the past year or two, malware's out, malware's done. Is malware back? Is malware back?

Chuong Dong: Personally, I think it has never been done, which is kind of alarming, right? Well, in my career, I've been looking at a lot of ransomware. And I was hoping that the number of ransomware or, you know, financially-motivated malware would go down, but I feel like it just keep on coming. People are coming up with different ways to make money off malware. So unfortunately, I don't think it's going down, which is kind of alarming. Like I would love to be out of a job when malware is out, but it doesn't seem like it's happening anytime soon.

Sherrod DeGrippo: I don't think that will happen anytime soon, not even just malware, but exploit dev for vulns too. I think we're entering into the golden age of insecure software because of the explosion in vibe coding. Let's just be honest, the code written by most of the LLMs and assistants -- those people that are writing it, they're just not checking for security. They're taking functions that work and that's all they're thinking of and they're not really doing smart architecture reviews of software. So I think for those of us in security, we're going to have long careers still, even with concerns around AI. Because AI is writing a lot of code that is adding issues and vulnerabilities into it. I want to ask Tori and Anna too, have you guys heard this like malware's done? Malware's not as prevalent on the landscape anymore? What do you think from what you're seeing?

Anna Seitz: Yeah, I certainly heard it, but I agree with Chuong, I don't think it's ever really been done. I think what you're talking about with these exploitation of vulnerabilities, even in this case, the way that PipeMagic was uncovered was through security researchers at Microsoft investigating this CVE 2025-29824. And another, I think, notable point is that ransomware threat actors really do value these post-compromised elevation of privilege exploits, because these could enable them to escalate that initial access. And that also includes handoffs and all kinds of things that could lead to privilege to access. So I think as far as ransomware or malware, I don't think it's ever gone away. But yeah, like Chuong says, that would be a nice day to retire, right? But I think it'll continue to be very prevalent on the threat landscape.

Sherrod DeGrippo: Tori, what about you? What's your view on the malware volumes?

Tori Murphy: So I'm new to malware. I did a kind of leap from going to like phishing brand protection a year ago to entering the ransomware ecosystem. So for me, I'm like so overwhelmed with how much malware is out there. So for me, it's like, I didn't even know that that was a thing, people saying it's slowing down. Because from my lens, it is everywhere.

Sherrod DeGrippo: It's funny because, I think, like, 10 years ago or so, the attack chains were so much shorter, like the delivery chains were so much shorter. It would be literally an email with a piece of malware attached, with a piece of ransomware just as an attachment. And they would blast those out, like a million messages per campaign, sometimes two or three campaigns a day from the same actor. And it would literally be something like Locky just as an attachment on an email with a very short little message that's, like, your invoice is attached, please open to pay, or something like that. And now from an email vector, the attack chains have gotten so long. It's like, click on this link where you need to download this PDF, where you need to go to a link in the PDF, and that's going to take you to a landing page, and the landing page is going to steal your credentials, and then it's going to send you malware. Like, it's just these really long, convoluted delivery methods now. And I think a lot of that is because defenders have been successful. Microsoft ending macros turned on by default in Word docs really kind of ended the malicious document, like Excel macro side of the landscape. So thinking about the new delivery methods for malware I think is really kind of an interesting exercise. And this one, it looks like it leverages a vulnerability and it leverages software repositories where people can go and download things. What else should we know about PipeMagic? It seems pretty interesting and targeted. Anything interesting going on with the backdoor specifically? Like, can we tell what kind of information they want to exfiltrate or what the backdoor might ultimately lead to?

Chuong Dong: Yeah, so it's very typical for backdoor to actually exfiltrate system information. And yeah, typically this is typically used for the backdoor to establish communication with the C2 server, because the backdoor needs to send information about the infected system so they can properly sort these out at the command control server. But yeah, just very generic system information stuff, like computer name, username, system spec, that kind of stuff. Just by analyzing the code, we couldn't really tell much about what kind of capabilities that the threat actor will send to the malware to execute on the system. But, you know, again, we know that it is highly modular, so they basically can send whatever code they want for the malware to have in its memory to execute, yeah.

Sherrod DeGrippo: Any suggestions for defenders in terms of detecting this and being able to find out if you've got this in your organization?

Chuong Dong: Yeah, so Windows Defender, we actually have, I think, three or four different signatures just to target this malware in memory. Specifically, we also have extracted the C2 server URL in the malware configuration. So we can also target that, yeah, that URL on a network side. But ultimately, I think we are pretty safe because we have, I think, four different Defender signatures just to block this malware. So I think we're pretty good on that end.

Sherrod DeGrippo: That sounds good. And if anyone would like to check this blog out, I believe Chuong was the primary author behind this blog that was released on the Microsoft Threat Intelligence blog, August 18, 2025. So you can go check that. It's called "Dissecting PipeMagic Inside the Architecture of a Modular Backdoor Framework," with lots and lots of code snippets and information about those defender signatures that you can take a look at. Okay, let's talk Medusa ransomware. This has been around for a while, so I'm going to introduce the topic and we'll just go from there. So that was PipeMagic, which is a cool to look at, an interesting backdoor piece of malware. Let's talk about this Medusa ransomware that we started seeing in June 2021. Tell me what's going on. It was originally closed. Now it's part of a ransomware-as-a-service offering. What are we seeing with this Medusa ransomware?

Anna Seitz: Yeah, so Medusa, like many ransomware, well, this one, ransomware-as-a-service. So a lot of affiliates picking it up. Initial access kind of is like how you want to deliver your ransomware. So initial access could be, you know, anywhere from phishing, emails, whatever the person behind it wants to -- you know, vulnerabilities. And then goes through using stolen credentials and shadow copy deletion, modifying registry keys, all the fun things that ransomware does before encrypting all your stuff. And then, you know, they're going to do double extortion where they basically are like, we have all your things, so please pay us this ransomware fee. And this one was interesting because they -- well, disclosure, don't send money for your ransomware. But they have a $10,000, we'll give you another 24 hours of time before we leak all your data. This one was interesting because, well, first of all, cyber criminals love Greek theology, I've come to find out. I don't know, me and my coworker make jokes that, well, at least they're reading their history books on Greek theology. But they actually incorporated Medusa's gaze and some of their binaries, which was interesting.

Sherrod DeGrippo: So Tori, I'm going to give you an opportunity that myself as a super nerd would love to be offered, but I'm going to give this to you. What is Medusa in Greek mythology and how is it relevant here?

Tori Murphy: Oh, Medusa. She is the woman that has the snakes as the hair and her deadly gaze, I think turns the people into stone. Correct me if I'm wrong.

Sherrod DeGrippo: Yeah.

Tori Murphy: Terrifying. I don't know more about her god powers, but very scary, Medusa is very scary, a god.

Sherrod DeGrippo: Yeah, she has snakes for hair, which is pretty cool. And then if you look at her, you turn to stone. For those of you who are children of the '80s, like I am, who used to be sat in front of TBS all summer long, there is a movie that they used to run almost every day, I don't know, called Clash of the Titans. And there is a fantastic scene with Medusa in that movie, Clash of the Titans. And it stars Harry Hamlin, who, another fun fact, is a Real Househusband of Beverly Hills, now married to Lisa Renna. But you can check out Clash of the Titans if you want to see a really cool portrayal of Medusa from the '80s, where she turns someone to stone with like the old style special effects. It's like pre-CGI. So I think, I agree, this is interesting. I know we've seen ransomware threat actors honestly get pretty creative with their naming conventions and using themes and stuff like that. So I remember Abaddon, I think it was called, ransomware was all like Harry Potter-themed, and they've gotten creative over the years. And so it looks like Medusa is another one of those. Tori, can you tell me, do you know what the initial access vector is for this? How are they getting the ransomware on to the organization's networks?

Tori Murphy: So initial access is kind of weird. Like, so CISA and FBI worked on a write-up, and the initial access -- and Chuong, maybe you have better insight here -- really hard to disclose on what the initial access vectors was for this one, which leads me to believe that there was multiple. I know that phishing was mentioned, but Microsoft, I don't think, really had good eyes on initial access.

Chuong Dong: Yeah, I agree. I don't -- I'm not too aware of the initial access with this ransomware. I would say probably phishing.

Anna Seitz: I think it was a publicly disclosed vulnerability, wasn't it? Isn't that how Medusa ransomware gets in? So Medusa is attributed to Storm 1175, which is a cybercriminal group based out of China. And I believe that they typically obtain that initial access through those exploitation of those publicly-disclosed vulnerabilities. And they have very opportunistic attacks.

Sherrod DeGrippo: It looks like our friends at Unit 42 agree on that. It's phishing and exploits for software that's not patched. So it's not necessarily zero-day, it's just patch window exploits. But I also think it's really important when we're looking at initial access vectors and there's not something that's very clear in the timeline that shows that initial access, never count out social engineering out of band. Never count out scary text messages to an administrator or some kind of phone call or personal email that then pivots. I'm not saying necessarily this particular group is doing that. But I think when we look at ransomware, we've seen over the years, especially with the rise of some of the more smash and grab successful groups, is they've had good success sending text messages that say things like, you have a meeting with HR, click here in 10 minutes to have your meeting with HR, terrorizing people, essentially, getting them to click through on a text message that purports to be from their HR departments. That's just an example, not necessarily specific to this ransomware group, but I think when you're thinking about initial access for ransomware, they have really gone very bespoke into some of the social engineering vectors that they can use. What else do we need to know about this group or what kinds of things they're using to do ransomware? It looks like there's been over 300 victims per CISA, which is a lot, especially if you're looking at multi-million dollar payloads.

Tori Murphy: Yeah, I was going to definitely add to the Storm-1175 group. They definitely love targeting remote management and monitoring tools, which so many red teamed pen testing tools being abused. Like I said, I'm kind of new to this field, so it's amazing just seeing all these tools that were, you know, initially used or brought on the table for good reason just being abused, and Chuong sees this probably all every day.

Sherrod DeGrippo: So they're doing double extortion, which I think is important to point out to people. At this point, it's not even just double extortion. We see ransomware threat actor groups doing multiple levels of demands for payment, not just to decrypt files, but, you know, they'll exfiltrate everything, all of these different options to say, do this or we're going to do this, pay us or we're going to do this, pay us or we're going to do that. And I think something to really keep in mind is that we're always thinking about AI. We're always talking about AI. How does it impact the threat landscape? How does it help defenders? How does it help threat actors? I think something that's really important to keep in mind is that every data dump from a breach in the past can be put into an LLM and the threat actor can then start asking it questions, start saying, go through this data and find everything embarrassing. Go through this data, maybe it's an email dump, find every email communication that has to do with a mergers and acquisitions request. Find every email that might have something to do with two employees having an improper relationship. It essentially accelerates the ability to create an extortion machine and to find those leverage points that are usable, not just for extortion of that whole organization, but potentially blackmail of individuals. Every data dump that we've seen is now open to that interpretation of super, super fast accelerated review and looking for leverage points that a threat actor can use. So it's important to know that those old data dumps from previous breaches or anything where a threat actor did a double extortion and did end up releasing the files, those all have renewed utility because now they're super easy to search. We see data dumps that are terabytes and people say, oh, how could they ever go through all of that? Well, you just train an LLM on it and you start asking it questions in natural language and that's it. You don't even need to know regex to look for things like password pairs and email. You can just say, show me every email that has a credential in it. What else should we know about Medusa ransomware in terms of what people might do to protect themselves from it? How do we help defenders here, guys?

Chuong Dong: Yeah, there's actually a lot of ways. So we can write signatures detection, which I think we already have for Medusa ransomware payload directly. We know that they like to use a trick called "bring your own vulnerable driver," where they use a legit driver to kill XDR or antivirus processes with higher privileges. So we can target those executable directly on disk, which I think we already are doing with Windows Defender signatures. There's actually a lot of IOCs that we can target here that we can help detect and mitigate these ransomware from being deployed on Windows machine of a customer.

Sherrod DeGrippo: Tell me a little bit more about that in terms of -- you're saying they bring their own vulnerable driver and they're able to turn off XDR and AV. Is that a common thing that you see? How does that work exactly?

Chuong Dong: Yeah, it's actually very common among multiple ransomware groups where they just dropped a driver and these drivers are not malicious on their own. They're just regular drivers, but they have an exposed feature that allows you to send a process name or process ID to them, and then the driver will just terminate that process with its privilege in memory, right? So then the malware just basically drop that driver on disk, load it into the infected system through a service, and then interact with the driver directly. And it has this list of EDR and E-processes that it can send to the driver to try and just kill any existing process that is running on the infected system.

Sherrod DeGrippo: That's a very interesting technique. I'm surprised that I have never heard of this before, but I also am not a reverse engineer deep in the trenches like Chuong [laughter]. So I see here too that Medusa has a leak site. So, you know, essentially, they're able to prove, yes, we do have your data. Tori, Anna, do you want to kind of walk the audience through how the leak sites work?

Anna Seitz: I always find it fascinating when cybercriminal groups have an affiliate program like the Medusa ransomware is part of. So the operators behind Medusa use a Tor-based data leak blog that acts as their control panel for other ransomware as a service affiliate. And it also includes a ransom payment page for victims. And that was what Tori was talking about earlier. Payouts can be anywhere from $100 to $1 million. And that's when we have seen Medusa affiliates using that double extortion method to steal victims' data.

Sherrod DeGrippo: And tell me, what, in terms of the affiliate model, does this look like? I know in the past, we've seen ransomware-as-a-service do things like a flat fee plus a percentage of whatever ransom comes back. There's all kinds of interesting fee and payment schedules that we've seen from some of these ransomware-as-a-service groups and their affiliates. In this particular instance, any insight into what they're doing here?

Anna Seitz: I'm not quite sure. That might be a Tori question. But one thing we have seen is that additional $10,000 can be paid to potentially add another 24 hours to the timetable. And then there's also ransom notes that explain to the victim that their data's been encrypted and gives them instructions on how to initiate the contact and make the payment. And that's either done through a Tor browser or through another end-to-end encrypted communication channel. As far as what percentage of the cut the affiliates are getting, I'm not quite sure. I'm not sure if Tori knows.

Tori Murphy: Yeah, I was going to say, I feel like this is the interesting part about writing about ransomware services. It changes so dynamically, I almost feel like the person who's operating the site might change it. I think at the time of this writing, it was a 40% payout. But if you looked at -- I think they change it so much on the dark web that like it's kind of all over the place. Like phishing-as-a-service might do weekly payouts, like use our service and it's like 134 for the week. Like the payments are very random and they're kind of all over the place. But a lot of money, though. I mean, if you're going to ransom somewhere for $1 million, they're going to give you 40%, that's a nice cut.

Sherrod DeGrippo: I guess it depends on who needs a yacht that week.

Tori Murphy: Yes.

Sherrod DeGrippo: That's one of the things I find really interesting about ransomware-as-a-service is that most of the things that we see on the marketplaces for essentially like the shopping mall that the threat landscape uses or where threat actors go to get their tools, we have actor groups that sell kits, that sell phish pages, that sell MFA bypass tools, that sell backdoors, that sell backdoors-as-a-service, that sell RATs, that sell like all of these different things. And they all tend to be either flat fee or monthly fee. They all tend to be, if you want this tool, it costs this many dollars, pay, and we will send you the kit, and you're done. But ransomware-as-a-service, especially in these affiliate models, and then you bring in the initial access brokers too, which is like a whole other front-facing revenue generator, the pricing is not flat fee. The pricing is, we're going to essentially work to get a commission off of a paid ransom. And so it really kind of changes the economy. And that's something I talk about all the time. Ransomware is an ecosystem. It has all of these interdependencies with specializations of different groups and different individuals. And they've moved their financials in that direction too, where they're now able to have variable revenue generation from multiple streams, right? So it's not just variable revenue generation and pricing and percentages, but it's multiple streams now. Because they can do double extortion. They can do what Anna and Tori are talking about, which is, do you want a little extra time, you got to pay $10,000 for it. Okay, anything else we need to cover on this ransomware?

Anna Seitz: One last thing I found interesting are just the run-of-the-mill tactic of using legitimate tools for malicious purposes. And that was also observed. There were tools that were observed deployed in conjunction with Medusa across multiple affiliates. And these are the kind of usual suspects like CertUtil, Mimikatz, PsExec, Rclone, SimpleHelp. So these things, it's like, if you see this, there's a very high probability that you could be experiencing malicious activity. So I think that's another run-of-the-mill tactic that we see that's always probably bad.

Sherrod DeGrippo: Wow, Mimikatz, that's very old school. I love it. That is our good friend, Benjamin Delpy, who developed Mimikatz, and you might be able to see him at Blue Hat Israel next year. He goes every year and is a fun guest to hang out with. Wow, that's old school. I love the everything old is new again on the threat landscape. Often, we see trends come and then go and then come back. And everyone sort of has to navigate through that same thing again with new updates. Well, we took a look at Medusa ransomware and PipeMagic. We've got lots of resources out there on the Microsoft Threat Intelligence blog for you to check out. Thank you so much for listening. And a huge thank you to Tori, Anna, and Chuong for joining the Microsoft Threat Intelligence Podcast and giving us all this great insight on what's happening on the threat landscape. Thanks for joining me.

Anna Seitz: Thank you so much.

Chuong Dong: Thank you.

Tori Murphy: Thank you.

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more and subscribe on your favorite podcast app. [ Music ]