Skip to content

Play Ransomware Used Windows Zero-Day CVE-2025-29824 to Breach U.S. Organization

The image depicts a digital landscape filled with ominous shadows of computer code and abstract representations of a network under siege In the foreground a glowing red lock symbolizes a ransomware attack while dark silhouettes of hackers loom over a-1

In early May 2025, cybersecurity researchers from Symantec's Threat Hunter Team reported that the Play ransomware group exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, to breach a U.S.-based organization. This flaw, located in the Common Log File System (CLFS) driver, was patched by Microsoft in April 2025.The Hacker News+4The Hacker News+4The Hacker News+4

The attackers likely gained initial access through a public-facing Cisco Adaptive Security Appliance (ASA). Once inside, they moved laterally within the network, deploying a custom information stealer named Grixba. This malware was disguised as legitimate Palo Alto Networks software and placed in the system's Music folder.

During the exploitation process, two files were created in the "C:\ProgramData\SkyPDF" directory:The Hacker News+1The Hacker News+1

  • PDUDrv.blf: A base log file associated with CLFS, serving as an artifact of the exploitation.

  • clssrv.inf: A DLL injected into the "winlogon.exe" process, capable of deploying two batch files.

One batch file, "servtask.bat," was used to escalate privileges, extract sensitive registry hives (SAM, SYSTEM, and SECURITY), and create a new user account named "LocalSvc" with administrative rights. The other, "cmdpostfix.bat," was designed to clean up traces of the intrusion.

Notably, no ransomware payload was deployed during this attack, suggesting a focus on reconnaissance and data exfiltration. Symantec's findings indicate that exploits for CVE-2025-29824 may have been available to multiple threat actors prior to Microsoft's patch release. This incident underscores the growing trend of ransomware groups leveraging zero-day vulnerabilities to infiltrate target networks.

SOURCE: https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html