Attacks With Newly Addressed Win32 Bug Ongoing For Two Years

Malicious actors have been exploiting the recently fixed high-severity Win32 kernel subsystem zero-day vulnerability, tracked as CVE-2025-24983, since March 2023, according to SecurityWeek.

Initial attacks involved the utilization of the PipeMagic backdoor to distribute the exploit, which was aimed at Windows 8.1 and Server 2012 R2 instances, said ESET in a series of posts on X, formerly Twitter.

Further examination of the flaw — which was patched by Microsoft alongside dozens of other security issues as part of this month's Patch Tuesday — revealed a use-after-free condition following excessive dereferencing of Win32 process structure in certain scenarios with the WaitForInputIdle API, added ESET, which also noted the importance of achieving a race condition in exploiting the flaw.

Ransomware groups LockBit, BlackMatter, and 3AM, as well as suspected Indian state-backed advanced persistent threat operation SideWinder, have previously exploited Win32 functions, while the PipeMagic backdoor was previously found to have been used by the Nokoyawa ransomware gang, said cybersecurity expert Andre Gironda.