Microsoft warns dangerous PipeMagic backdoor is being disguised as ChatGPT desktop app – here’s what we know

Microsoft saw a modified version of a GitHub project carrying malware
The malware can serve as both a backdoor and an infostealer
The group behind it was seen deploying encryptors, too

Microsoft has warned of a fake ChatGPT desktop application circulating online which actually carries a highly modular malware framework serving as an infostealer and a backdoor.

In an in-depth report, Microsoft said it observed the framework it dubbed PipeMagic, originating on GitHub.

“The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project,” the report reads. “The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.”

A handful of victims

The malware is the work of a threat actor known as Storm-2460, which Microsoft also flagged in early April 2025 abusing a zero-day vulnerability in the Common Log File System to deploy the RansomEXX encryptor.

In this case, while the group abused the same flaw – CVE-2025-29824, Microsoft did not state which encryptor was deployed. PipeMagic seems to have evolved, since in the earlier report, it was described as a simple backdoor trojan.

Now, it’s described as a highly modular malware framework which allows threat actors to execute payloads dynamically, maintain persistent control, and communicate stealthily with command-and-control servers. It can manage encrypted payload modules in memory, perform privilege escalation, collect extensive system information, and execute arbitrary code through its linked list architecture.

PipeMagic also supports encrypted inter-process communication via named pipes and can self-update by receiving new modules from its C2 infrastructure.

While Microsoft said the number of victims was “limited”, it did not discuss concrete numbers. The targets were observed in the United States, across Europe, South America, and the Middle East. Most targeted industries include IT, financial, and real estate.

To mitigate the threat, Microsoft recommended a layered defense strategy, which include enabling tamper protection and network protection in Microsoft Defender for Endpoint, and running endpoint detection and response in block mode, among other things.