Windows flaw exploited as zero-day by more groups than previously thought

A privilege escalation vulnerability that Microsoft patched as a zero-day in April was known and used by more groups than initially revealed, including the gang behind the Play ransomware that got into one network through a Cisco ASA firewall.

When Microsoft patched CVE-2025-29824 on 8 April, the company said the flaw had been exploited against a small number of targets by a group tracked as Storm-2460 which deployed the PipeMagic malware and then ransomware.

Now, researchers from Broadcom’s Symantec found evidence that a different group known as Balloonfly also exploited the vulnerability before it was patched. Balloonfly is known for deploying the Play ransomware, also known as PlayCrypt since at least June 2022.

The attack, investigated by Symantec, involved an organization in the US and the techniques and procedures used were significantly different than those reported by Microsoft for Storm-2460.

“While the use of zero-day vulnerabilities by ransomware actors is rare, it is not unprecedented,” the researchers said in their report. “Last year Symantec found evidence that attackers linked to the Black Basta ransomware may have been exploiting a recently patched Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day.”

The new CVE-2025-29824 is a use-after-free memory in the Windows Common Log File System Driver (CLFS.sys) and its exploitation from a regular and restricted account can result in code execution with system privileges. Privilege escalation flaws like these are very useful for attackers in achieving full system control in the post-compromise stage.

Initial access occurred through Cisco firewall

Symantec found evidence that the attackers gained access to the victim’s network through a Cisco ASA firewall and then pivoted to a Windows machine. The researchers didn’t reveal if this access was achieved by exploiting a vulnerability or by using weak or compromised credentials, but zero-day attacks against network-edge devices such as firewalls, VPN gateways and other security appliances have become very common over the past two years.

Even though most of these zero-day attacks are the work of nation state groups with significant resources and funding, once a vulnerability is revealed and an exploit becomes available, other types of attackers are also likely to try and capitalize on it.

Attackers managed to deploy infostealer

In this attack, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that is usually one of the final stages when attackers have control over significant parts of the network for maximum damage. However, the group did deploy an infostealer called Grixba that’s usually part of its toolset.

Grixba is a custom tool written in .NET that’s used exclusively by the Play ransomware gang in early stages of their attacks to gather information about the compromised systems, their configured services, processes, users and software running on them, including a wide range of security and backup programs, remote administration tools and more.

In addition to Grixba, the attackers also deployed other tools during this attack that Symantec researchers were not able to recover. However, one interesting aspect is that these tools had names masquerading as software from Palo Alto Networks – paloaltoconfig.exe and paloaltoconfig.dll.

The attackers also executed PowerShell commands to gather information about other systems in the victim organization’s Active Directory, a reconnaissance activity that often predates lateral movement attempts.

Even though they were not able to recover all payloads, Symantec researchers were able to recover the names and file hashes for most of them, which are shared in the report as indicators of compromise and can be used to build detections and threat hunting queries.