In a recent cyberattack attempt targeting a US-based organization, threat actors associated with the notorious Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows to escalate privileges and deploy malware.
The exploit targeted CVE-2025-29824, a Windows elevation of privilege vulnerability in the Common Log File System (CLFS) driver, which was patched by Microsoft on April 8, 2025.
The attackers, linked to the cybercrime group Balloonfly, are known for deploying Play ransomware (also referred to as PlayCrypt) in global attacks. Though ransomware was not deployed in this incident, the attackers successfully delivered the Grixba infostealer, a customized malware tool linked to the group, Symantec noted.
Balloonfly, active since at least June 2022, has previously targeted organizations and critical infrastructure across North and South America and Europe. In this case, attackers are suspected of gaining initial access via a publicly exposed Cisco ASA firewall before pivoting to a Windows machine inside the network, though the exact method of lateral movement remains unknown.
Once on the targeted Windows system, the attackers employed a range of tools and malware, including Grixba and a zero-day exploit for CVE-2025-29824, which allowed them to gain elevated privileges through the vulnerable CLFS kernel driver.
Microsoft confirmed that CVE-2025-29824 had been used against a limited number of targets globally, including entities in the United States, Venezuela, Spain, and Saudi Arabia. The company linked some attacks to the PipeMagic malware, commonly used by the Storm-2460 group, which has a history of deploying ransomware.
While Microsoft observed the exploit being executed in-memory via the dllhost.exe process in fileless attacks attributed to Storm-2460, Symantec researchers said that Balloonfly-linked incident involved a non-fileless approach.
