Kaspersky’s Global Research and Analysis Team (GReAT) has identified a new malicious campaign involving the PipeMagic Trojan. The attackers are using a fake ChatGPT app as a decoy, deploying a backdoor that allows full remote access to compromised devices and the extraction of sensitive data. Additionally, this malware serves as an entry point for introducing more malware and launching new attacks through the corporate network.

Kaspersky first detected the PipeMagic backdoor in 2022, a plugin-based Trojan that targeted entities in Asia. This malware is capable of functioning as both a backdoor and an access route. In September 2024, Kaspersky’s GReAT team observed a resurgence of PipeMagic, this time targeting organizations in Saudi Arabia.

This version uses a fake ChatGPT application, created with the Rust programming language. At first glance, it looks legitimate, as it contains several common Rust libraries used in many other Rust-based applications. However, upon execution, the application displays a blank screen with no visible interface and hides a 105,615-byte encrypted data array that is a malicious payload.

Blank screen displayed by a fake ChatGPT app

In the second stage, the malware searches for key Windows API functions, locating the corresponding memory offsets using a name hashing algorithm. It then allocates memory, loads the PipeMagic backdoor, adjusts the necessary settings, and executes the malware.

One of the unique features of PipeMagic is that it generates a random array of 16 bytes to create a named pipe in the format .pipe1.. Creates a thread that continually spawns this pipe, reads data from it, and then destroys it. In this sense, it is used to receive encoded payloads and stop signals through the default local interface. PipeMagic typically works with multiple plugins downloaded from a command and control (C2) server, which, in this case, was hosted on Microsoft Azure.

“Cybercriminals are constantly evolving their strategies to reach more prolific victims and expand their presence, as evidenced by the recent expansion of the PipeMagic Trojan from Asia to Saudi Arabia. Given its capabilities, we expect to see an increase in attacks that take advantage of this backdoor,” says Sergey Lozhkin, principal security analyst at Kaspersky’s GReAT.

Safety tips

To avoid falling victim to an attack directed by known or unknown threat actors, such as the fake ChatGPT app, Kaspersky analysts recommend implementing the following measures:

  • Be careful when downloading software from the Internet, especially if it is from third-party websites. Always try to download software from the official website of the company or service you are using.
  • Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for enterprise IT, offering data and information on cyber attacks collected by Kaspersky over more than 20 years.
  • Upskill your cybersecurity team to deal with the latest targeted threats through Kaspersky online training courses, developed by GReAT experts.
  • For timely detection, investigation and remediation of incidents at the endpoint level, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement an enterprise-level security solution that detects advanced network-level threats at an early stage, such as the Kaspersky Anti Targeted Attack Platform.
  • Since many targeted attacks start with phishing techniques or other forms of social engineering, introduce security awareness training and teach practical skills to your team, for example, through the Kaspersky Automated Security Awareness Platform.