Zero-Day Exploited in Targeted Ransomware Attack
Threat actors affiliated with the Play ransomware operation, also known as Balloonfly or PlayCrypt, have weaponized a recently patched Windows vulnerability (CVE-2025-29824) as a zero-day exploit to infiltrate an unnamed organization in the United States.
The vulnerability—found in the Common Log File System (CLFS) driver—enables privilege escalation and was only patched by Microsoft in April 2025. The Symantec Threat Hunter Team, part of Broadcom, uncovered this sophisticated breach and confirmed that attackers leveraged this flaw prior to its public disclosure.
Exploiting Cisco ASA and Dropping Grixba Stealer
The attackers initially breached the network through a suspected compromise of a public-facing Cisco Adaptive Security Appliance (ASA). From there, they moved laterally within the Windows environment using advanced techniques.
A malicious payload named Grixba, a custom information stealer linked to Play ransomware, was dropped into the Music folder under the guise of Palo Alto Networks software (e.g., paloaltoconfig.exe and .dll files).
Active Directory Reconnaissance and Exploitation Traces
Once inside, the hackers executed system commands to gather details about all machines within the organization’s Active Directory, exporting results to a CSV file for post-exploitation use.
Two critical files were found under C:\ProgramData\SkyPDF:
- PDUDrv.blf – a CLFS base log file created during exploitation
- clssrv.inf – a malicious DLL injected into the winlogon.exe process
This DLL proceeded to drop two batch scripts:
- servtask.bat – escalates privileges, dumps Registry hives, creates a "LocalSvc" admin user
- cmdpostfix.bat – cleans up post-exploitation evidence
Note: No ransomware payload was deployed during the observed activity—suggesting the exploit may have been available to multiple threat groups.
Storm-2460 and PipeMagic Trojan – A Different Cluster
This incident differs from Microsoft’s prior disclosure of Storm-2460 using the same CVE to deploy a trojan dubbed PipeMagic. The two represent separate clusters of exploitation.
Trend: Ransomware Groups Using Zero-Day Flaws
Zero-day exploitation by ransomware groups is becoming a disturbing norm. In 2024, the Black Basta group used another privilege escalation flaw—CVE-2024-26169—to bypass Windows Error Reporting security as a zero-day attack vector.
New Technique: Bring Your Own Installer (BYOI)
A new local bypass attack method—Bring Your Own Installer—was discovered by Aon’s Stroz Friedberg team. Threat actors exploited a flaw in SentinelOne’s EDR upgrade process to disable protection before deploying the Babuk ransomware.
This attack didn't involve vulnerable drivers but rather terminated SentinelOne agents during MSI-based updates using a timed taskkill command.
SentinelOne has since rolled out mitigations, including:
- Enhancements to Local Upgrade Authorization
- A detection rule via the SentinelOne console
- Console updates to highlight the mitigation settings
Ransomware Tools: Crytox, HRSword, and PlayBoy Locker
Additional ransomware groups are employing tools like HRSword to disable endpoint security (previously seen in Phobos and BabyLockerKZ campaigns). Cisco confirmed Crytox ransomware is actively using this technique.
Meanwhile, a new Ransomware-as-a-Service (RaaS) platform called PlayBoy Locker is enabling low-skilled threat actors to generate ransomware payloads targeting Windows, NAS, and ESXi systems with anti-detection features and affiliate support.
DragonForce and the Rise of the Ransomware Cartel
The cybercriminal group DragonForce has launched a ransomware cartel by taking over operations from the now-defunct RansomHub. They offer white-label ransomware services and take a 20% commission from affiliate payouts.
Originally a pro-Palestine hacktivist group, DragonForce has evolved into a full-scale RaaS syndicate targeting major U.K. retailers such as Harrods, Marks and Spencer, and Co-Op.
Retail Sector in the Crosshairs
According to Mandiant, ransomware group UNC3944 (aka Scattered Spider) may be behind these attacks. The retail sector is a lucrative target due to the high volume of PII and financial data.
These companies are often more inclined to pay ransoms to minimize service disruption.
2024 Ransomware Landscape: Surge in Activity
Ransomware incidents surged by 25% in 2024. Notably, there’s been a 53% increase in leak site activity, driven by smaller, more agile cybercrime gangs targeting mid-sized organizations.
Security expert Dov Lerner noted, "Ransomware actors are outpacing law enforcement, and their focus on smaller entities means no one is immune."
Editor’s Note: This article has been updated to reflect additional mitigation measures by SentinelOne to address the BYOI technique.
📌 Stay informed. Subscribe to Hacker4hub for the latest in cybersecurity news and threat intelligence.