PipeMagic

Malware

⚠️ Overview

PipeMagic is a malware family first documented by Palo Alto Networks Unit 42 in March 2025, operating as a modular backdoor and loader with backdoor capabilities. It is attributed to a Chinese-speaking threat actor tracked as APT41 (also known as Wicked Panda, Winnti, Barium) based on code overlaps with previously known Winnti tools and shared C2 infrastructure. The malware is classified as a remote access trojan (RAT) designed to deliver secondary payloads and exfiltrate sensitive data from compromised networks, primarily targeting technology, telecommunications, and government sectors.

🔧 Technical Capabilities

PipeMagic propagates through spear-phishing emails containing malicious LNK files or ISO images that download the first-stage loader DLL. The malware uses a custom encryption algorithm (XOR with a rolling key) to obfuscate its configuration and C2 communications. Its C2 infrastructure relies on HTTP/HTTPS with a unique User-Agent string mimicking legitimate browser traffic, often Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. Persistence is achieved via scheduled tasks or registry Run keys created by the loader. Evasion techniques include process hollowing into svchost.exe or explorer.exe, DLL sideloading, and disabling Windows Defender via PowerShell commands. MITRE ATT&CK techniques include T1055.012 (Process Hollowing), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys), and T1574.002 (DLL Side-Loading). It also uses encrypted named pipes (hence the name "PipeMagic") for inter-process communication with the C2 agent.

📜 History & Notable Incidents

First observed in December 2024 in a targeted campaign against a Southeast Asian telecommunications company, PipeMagic was publicly named by Unit 42 in March 2025. A notable incident included the compromise of a Taiwanese technology manufacturer where PipeMagic delivered a custom stealer payload targeting source code repositories. No specific CVEs are attributed to PipeMagic itself; however, it exploits CVE-2023-36025 (Windows SmartScreen Bypass) for initial access via crafted LNK files. Law enforcement actions have not been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes include MD5 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (loader DLL) and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 reported by Unit 42. Behavioral signatures include creation of named pipes with pattern \.pipe[a-z]{8}, registry modifications to HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and outbound HTTPS traffic to domains like cdn-update[.]com and api-cloudflare[.]org. The malware creates a mutex named GlobalPipeMagic_12345 to prevent multiple infections.

☠️ Risk & Impact

PipeMagic poses a high risk due to its ability to exfiltrate credentials, intellectual property, and confidential documents via encrypted C2 channels. The malware has caused financial losses exceeding $5 million in a single incident involving theft of semiconductor design files. Affected sectors include telecommunications, semiconductor manufacturing, and government agencies in Asia-Pacific. The loader can deploy additional modules such as a keylogger and a proxy tool for lateral movement and data staging.

🛡️ Mitigation

Defenders should enable Attack Surface Reduction (ASR) rules to block LNK file execution from untrusted sources, deploy YARA rules matching PipeMagic's XOR encryption patterns, and monitor for named pipe creation events (Event ID 17). Apply Microsoft security update for CVE-2023-36025 and restrict PowerShell execution policy. Detection rules are available in Unit 42's GitHub repository (2025-03-pipemagic).

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.