Ransomware Exploits Windows Vulnerability CVE-2025-29824 as Zero-Day Threat to Compromise U.S. Organization

Threat actors associated with the Play ransomware family have exploited a recently patched vulnerability in Microsoft Windows to launch a targeted attack against an unnamed organization in the United States. The attack utilized CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver, which was addressed by Microsoft last month.

Play ransomware, also known as Balloonfly or PlayCrypt, is recognized for employing double extortion tactics—exfiltrating sensitive data prior to encryption and demanding a ransom. This group has been active since at least mid-2022.

The Symantec Threat Hunter Team reported that the attackers likely utilized a publicly accessible Cisco Adaptive Security Appliance (ASA) as an entry point. They advanced within the target network using an unspecified technique to move laterally to another Windows system.

Significantly, the attack featured the use of Grixba, a custom information stealer previously linked to Play, alongside an exploit of CVE-2025-29824. The malicious payload was dropped in the Music folder, impersonating legitimate Palo Alto Networks software with filenames like “paloaltoconfig.exe” and “paloaltoconfig.dll.”

The attackers also executed commands to gather information across all available machines in the victims’ Active Directory, saving the results in a CSV file. During the exploitation phase, two files were created in the directory C:ProgramDataSkyPDF. The first, PDUDrv.blf, serves as a log file created during exploitation, while the second, clssrv.inf, is a DLL injected into the winlogon.exe process and capable of dropping two additional batch files.

One batch file, “servtask.bat,” escalates privileges, dumps the SAM, SYSTEM, and SECURITY Registry hives, and creates a new user named “LocalSvc,” adding it to the Administrator group. The second, “cmdpostfix.bat,” cleans traces of the exploitation.

Notably, no ransomware payload was deployed during this intrusion, indicating that exploits for CVE-2025-29824 may have been accessible to various threat actors prior to the vulnerability’s patch.

The nature of the exploitation observed does not overlap with another activity cluster identified by Microsoft, labeled Storm-2460, which had limited use of the flaw to deliver a trojan named PipeMagic.

The incident underscores the troubling trend of ransomware actors capitalizing on zero-day vulnerabilities to penetrate networks. In a previous report, Symantec noted that the Black Basta group may have similarly exploited a distinct zero-day vulnerability for their operations.

Furthermore, a local bypass technique called “Bring Your Own Installer” (BYOI) has emerged, which threat actors exploit to circumvent endpoint detection and response (EDR) systems during ransomware attacks. Aon’s Stroz Friedberg Incident Response Services revealed that this technique, employed against SentinelOne’s EDR, involves exploiting a flaw in the upgrade/downgrade mechanism of the SentinelOne agent.

With the BYOI attack strategy, threat actors run a legitimate installer and disrupt the installation process using a “taskkill” command, rendering the system unprotected. This method eliminates reliance on vulnerable drivers, exploiting administrative access on publicly exposed servers.

SentinelOne has responded to this technique by updating its Local Upgrade Authorization feature to mitigate potential bypasses and enhance its detection capabilities via its Platform Detection Library.

Ransomware attacks have increasingly focused on domain controllers, affording threat actors access to privileged accounts and the capacity to encrypt numerous systems swiftly. Recent statistics indicate that over 78% of cyberattacks involving human operators successfully breach domain controllers, with such devices serving as primary vectors for widespread ransomware deployment.

In addition, newer Ransomware-as-a-Service (RaaS) platforms, such as PlayBoy Locker, are equipping less skilled cybercriminals with robust tools and support for executing ransomware attacks. This segmentation of the ransomware ecosystem illustrates the evolving landscape of cyber threats, where smaller, agile gangs are increasingly targeting medium-sized organizations that may lack sufficient defenses.

The emergence of sophisticated groups, including the DragonForce ransomware cartel, further complicates the threat environment. By providing infrastructure and operational support to affiliates while allowing them to brand their campaigns independently, DragonForce showcases how modern ransomware operations are leveraging collaboration to enhance their efficacy.

Given the escalating threat landscape, organizations are urged to adopt comprehensive security measures and stay vigilant against the evolving tactics employed by ransomware threat actors.