![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![Beats Studio Pro Wireless Headphones Now Just $169.95 - Save 51%! [Deal]](https://www.iclarified.com/images/news/97258/97258/97258-640.jpg)
Windows 0-Day Vulnerability Exploited in the Wild to Deploy Play Ransomware
Threat actors linked to the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows prior to its patching on April 8, 2025. The vulnerability, tracked as CVE-2025-29824, affects the Windows Common Log File System (CLFS) driver and allows attackers to elevate their privileges from standard user to full system access. The Symantec Threat Hunter […] The post Windows 0-Day Vulnerability Exploited in the Wild to Deploy Play Ransomware appeared first on Cyber Security News.
Threat actors linked to the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows prior to its patching on April 8, 2025.
The vulnerability, tracked as CVE-2025-29824, affects the Windows Common Log File System (CLFS) driver and allows attackers to elevate their privileges from standard user to full system access.
The Symantec Threat Hunter Team reported that attackers affiliated with the Play ransomware group (also known as Balloonfly or PlayCrypt) targeted an unnamed organization in the United States, likely using a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point.
While no ransomware payload was deployed in the discovered intrusion, the attackers utilized a custom information-stealing tool called Grixba, which has been previously associated with the Play ransomware operation.
Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) identified that the exploitation activity has been attributed to a threat group called Storm-2460, which deploys the PipeMagic malware in ransomware campaigns.
The targets included organizations in the United States’ information technology (IT) and real estate sectors, Venezuela’s financial sector, a Spanish software company, and Saudi Arabia’s retail sector.
Exploitation of Windows 0-Day Vulnerability
“Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access into privileged access,” Microsoft stated in its security advisory.
The vulnerability, which received a CVSS score of 7.8 (High), was addressed as part of Microsoft’s April 2025 Patch Tuesday updates, which fixed a total of 121 vulnerabilities.
Technical analysis revealed that the exploitation involved a sophisticated attack chain. The vulnerability resides in the CLFS kernel driver and allows attackers to exploit a use-after-free condition. During the exploit execution, attackers created files in the path C:\ProgramData\SkyPDF, including a DLL that was injected into the winlogon.exe process.
This allowed them to extract credentials from LSASS memory using tools like the Sysinternals procdump.exe, create new administrator users, and establish persistence.
The Play ransomware group, active since June 2022, is known for deploying double-extortion tactics, where sensitive data is exfiltrated prior to encryption.
The group has previously developed custom tools like Grixba, which have been disguised as legitimate security software, including fake SentinelOne and Palo Alto Networks applications.
Researchers noted that while ransomware actors rarely use zero-day vulnerabilities, this signals an escalation in their capabilities.
Organizations are strongly advised to apply the security updates released on April 8, 2025, especially for systems running vulnerable versions of Windows.
Microsoft specifically mentioned that customers running Windows 11 version 24H2 are not affected by this vulnerability due to security mitigations already in place.
This incident highlights the continuing evolution of ransomware tactics and the importance of prompt patching, especially for vulnerabilities that enable privilege escalation, which are critical components in ransomware attack chains.
IoC’s
Here’s the table of Indicators of Compromise (IoCs) linked to the Play ransomware campaign exploiting CVE-2025-29824:
Hash Filename Description Detection/Malware Name 6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05 gt_net.exe Grixba infostealer tool Infostealer.Grixba1 858efe4f9037e5efebadaaa70aa8ad096f7244c4c4aeade72c51ddad23d05bfe go.exe CVE-2025-29824 exploit binary N/A1 9c21adbcb2888daf14ef55c4fa1f41eaa6cbfbe20d85c3e1da61a96a53ba18f9 clssrv.inf DLL injected into winlogon.exe Exploit payload1 6d7374b4f977f689389c7155192b5db70ee44a7645625ecf8163c00da8828388 cmdpostfix.bat Artifact cleanup script Malicious batch file1 b2cba01ae6707ce694073018d948f82340b9c41fb2b2bc49769f9a0be37071e1 servtask.bat Privilege escalation/user creation script Malicious batch file1 293b455b5b7e1c2063a8781f3c169cf8ef2b1d06e6b7a086b7b44f37f55729bd paloaltoconfig.dll Masqueraded Palo Alto Networks tool Unknown malicious DLL1 af260c172baffd0e8b2671fd0c84e607ac9b2c8beb57df43cf5df6e103cbb7ad paloaltoconfig.exe Masqueraded Palo Alto Networks tool Unknown malicious EXE1 430d1364d0d0a60facd9b73e674faddf63a8f77649cd10ba855df7e49189980b 1day.exe Suspected exploit-related utility Unknown malicious EXE1
Tax Scams Are Getting Smarter – Check Malicious Domains With Domain Research Suite
The post Windows 0-Day Vulnerability Exploited in the Wild to Deploy Play Ransomware appeared first on Cyber Security News.
