[[{“value”:”
Threat actors linked to the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows prior to its patching on April 8, 2025.
The vulnerability, tracked as CVE-2025-29824, affects the Windows Common Log File System (CLFS) driver and allows attackers to elevate their privileges from standard user to full system access.
The Symantec Threat Hunter Team reported that attackers affiliated with the Play ransomware group (also known as Balloonfly or PlayCrypt) targeted an unnamed organization in the United States, likely using a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point.
While no ransomware payload was deployed in the discovered intrusion, the attackers utilized a custom information-stealing tool called Grixba, which has been previously associated with the Play ransomware operation.
Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) identified that the exploitation activity has been attributed to a threat group called Storm-2460, which deploys the PipeMagic malware in ransomware campaigns.
The targets included organizations in the United States’ information technology (IT) and real estate sectors, Venezuela’s financial sector, a Spanish software company, and Saudi Arabia’s retail sector.
Exploitation of Windows 0-Day Vulnerability
“Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access into privileged access,” Microsoft stated in its security advisory.
The vulnerability, which received a CVSS score of 7.8 (High), was addressed as part of Microsoft’s April 2025 Patch Tuesday updates, which fixed a total of 121 vulnerabilities.
Technical analysis revealed that the exploitation involved a sophisticated attack chain. The vulnerability resides in the CLFS kernel driver and allows attackers to exploit a use-after-free condition. During the exploit execution, attackers created files in the path C:ProgramDataSkyPDF, including a DLL that was injected into the winlogon.exe process.
This allowed them to extract credentials from LSASS memory using tools like the Sysinternals procdump.exe, create new administrator users, and establish persistence.
The Play ransomware group, active since June 2022, is known for deploying double-extortion tactics, where sensitive data is exfiltrated prior to encryption.
The group has previously developed custom tools like Grixba, which have been disguised as legitimate security software, including fake SentinelOne and Palo Alto Networks applications.
Researchers noted that while ransomware actors rarely use zero-day vulnerabilities, this signals an escalation in their capabilities.
Organizations are strongly advised to apply the security updates released on April 8, 2025, especially for systems running vulnerable versions of Windows.
Microsoft specifically mentioned that customers running Windows 11 version 24H2 are not affected by this vulnerability due to security mitigations already in place.
This incident highlights the continuing evolution of ransomware tactics and the importance of prompt patching, especially for vulnerabilities that enable privilege escalation, which are critical components in ransomware attack chains.
IoC’s
Here’s the table of Indicators of Compromise (IoCs) linked to the Play ransomware campaign exploiting CVE-2025-29824:
| Hash | Filename | Description | Detection/Malware Name |
|---|---|---|---|
| 6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05 | gt_net.exe | Grixba infostealer tool | Infostealer.Grixba1 |
| 858efe4f9037e5efebadaaa70aa8ad096f7244c4c4aeade72c51ddad23d05bfe | go.exe | CVE-2025-29824 exploit binary | N/A1 |
| 9c21adbcb2888daf14ef55c4fa1f41eaa6cbfbe20d85c3e1da61a96a53ba18f9 | clssrv.inf | DLL injected into winlogon.exe | Exploit payload1 |
| 6d7374b4f977f689389c7155192b5db70ee44a7645625ecf8163c00da8828388 | cmdpostfix.bat | Artifact cleanup script | Malicious batch file1 |
| b2cba01ae6707ce694073018d948f82340b9c41fb2b2bc49769f9a0be37071e1 | servtask.bat | Privilege escalation/user creation script | Malicious batch file1 |
| 293b455b5b7e1c2063a8781f3c169cf8ef2b1d06e6b7a086b7b44f37f55729bd | paloaltoconfig.dll | Masqueraded Palo Alto Networks tool | Unknown malicious DLL1 |
| af260c172baffd0e8b2671fd0c84e607ac9b2c8beb57df43cf5df6e103cbb7ad | paloaltoconfig.exe | Masqueraded Palo Alto Networks tool | Unknown malicious EXE1 |
| 430d1364d0d0a60facd9b73e674faddf63a8f77649cd10ba855df7e49189980b | 1day.exe | Suspected exploit-related utility | Unknown malicious EXE1 |
Tax Scams Are Getting Smarter – Check Malicious Domains With Domain Research Suite
The post Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware appeared first on Cyber Security News.
“}]]
Read More Cyber Security News