Play Ransomware Used Windows Zero-Day to Escalate Privileges and Deploy Malware
The Play ransomware group has been linked to zero-day exploitation of a critical Windows vulnerability to gain SYSTEM privileges and infiltrate target networks across multiple sectors.
The flaw, tracked as CVE-2025-29824, is a high-severity issue in the Windows Common Log File System (CLFS) and was patched by Microsoft during its April 2025 Patch Tuesday.
Microsoft reported that the exploit was used in a limited number of targeted attacks before the patch was released.
“The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,”
— Microsoft
Attack Chain Involved PipeMagic Backdoor and Grixba Infostealer
Microsoft initially attributed the attacks to the RansomEXX group, noting that the attackers deployed PipeMagic, a custom backdoor, which was used to execute the CVE-2025-29824 exploit. The backdoor enabled the deployment of ransomware payloads and ransom notes after data encryption.
However, Symantec’s Threat Hunter Team has since linked the activity to the Play ransomware-as-a-service operation, based on the tools used in the attack. In one intrusion into a U.S. organization’s network, no ransomware was deployed, but attackers dropped the Grixba infostealer, a tool known to be used by Balloonfly, the group behind Play ransomware.
“Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly,”
— Symantec
The Grixba tool, active since 2022, is used to scan compromised networks and gather intelligence about users and devices before ransomware deployment.
Play Ransomware’s Background and Global Impact
The Play ransomware gang, also known as PlayCrypt, first appeared in June 2022 and is known for its double-extortion tactics, where stolen data is threatened with exposure if ransom demands are not met.
In December 2023, the FBI, CISA, and the Australian Cyber Security Centre (ACSC) issued a joint advisory warning that the group had compromised the networks of around 300 organizations worldwide by October 2023.
Notable victims of Play ransomware include:
- Rackspace Technology
- Arnold Clark
- City of Oakland, California
- Dallas County
- Antwerp, Belgium
- Microchip Technology
- Krispy Kreme
The group continues to evolve its tactics, including leveraging privilege escalation exploits such as CVE-2025-29824, and maintaining access through custom malware like PipeMagic and Grixba.
