The Play ransomware group has been exploiting a Windows Common Log File System vulnerability (CVE-2025-29824) in zero-day attacks to escalate privileges and deploy malware.
Microsoft addressed the flaw during April’s Patch Tuesday after observing limited attacks on organizations across sectors like IT, finance, real estate, and retail. Initially linked to the RansomEXX group, the attacks involved a backdoor called PipeMagic to drop the exploit and launch ransomware.
However, Symantec later connected the activity to the Play ransomware operation, noting the use of the Grixba infostealer—a tool associated with the cybercriminal group Balloonfly.
Although no ransomware was deployed in one documented case, the tools used are typical of Play’s method for mapping out networks before encrypting data.
The group has been active since mid-2022 and is known for double-extortion tactics, with past high-profile victims including Rackspace, Krispy Kreme, and the City of Oakland.
Read more...