A threat group linked to the Play ransomware family has exploited a newly patched Windows zero-day vulnerability to target an undisclosed organization in the United States. The flaw, tracked as CVE-2025-29824, is a privilege escalation bug in Microsoft’s Common Log File System (CLFS) driver and was only recently addressed in a patch by Microsoft.
Play Ransomware Gang Weaponizes CVE-2025-29824 Before Patch
According to the Symantec Threat Hunter Team, attackers weaponized CVE-2025-29824 as a zero-day, gaining elevated privileges on Windows machines. The Play ransomware group, also known as Balloonfly or PlayCrypt, used the flaw to infiltrate the network and plant custom malware.
Investigators believe the attackers may have initially breached the network via a Cisco Adaptive Security Appliance (ASA) exposed to the internet. Although the exact method remains unclear, they eventually gained access to internal Windows systems.
The hackers deployed a custom information stealer named Grixba, previously linked to Play, along with the zero-day exploit. The malicious files were disguised as Palo Alto Networks software, using names like paloaltoconfig.exe and were hidden in the Music folder.
Two notable files were created in the C:\ProgramData\SkyPDF directory:
PDUDrv.blf: A CLFS base log file created during exploitation.clssrv.inf: A DLL injected intowinlogon.exe, capable of dropping two batch files.
The batch file servtask.bat was used to:
- Escalate privileges.
- Dump SAM, SYSTEM, and SECURITY registry hives.
- Create a new admin user named “LocalSvc.”
The second script, cmdpostfix.bat, removed forensic traces, ensuring the attack remained stealthy.
While no ransomware payload was executed in this incident, the use of a zero-day indicates that multiple threat actors may have had early access to this exploit before Microsoft issued a fix.
Notably, Symantec’s findings do not overlap with a different cluster of activity dubbed Storm-2460, which Microsoft recently linked to a separate use of CVE-2025-29824 for dropping the PipeMagic trojan.
Ransomware Groups Adopt New Evasion Tactics
In a related development, Aon’s Stroz Friedberg revealed a novel EDR bypass method used in a Babuk ransomware attack. Called “Bring Your Own Installer,” the tactic disables endpoint protection tools like SentinelOne by exploiting its agent upgrade process.
Attackers with local admin access execute a legitimate SentinelOne installer, then terminate the installation midway using a taskkill command. This interrupts the update and disables the protection agent, leaving the system vulnerable without relying on driver vulnerabilities.
SentinelOne confirmed the bypass and has since enhanced its Local Upgrade Authorization feature to block such abuse by default.
Other ransomware operations are also adapting. The Crytox ransomware group has deployed HRSword, a tool known for disabling endpoint security solutions, to facilitate attacks involving BabyLockerKZ and Phobos.
Meanwhile, ransomware crews are increasingly targeting domain controllers to maximize impact. Microsoft revealed that in over 78% of human-operated ransomware attacks, the domain controller is breached. In 35% of cases, it acts as the primary distribution point for encrypting systems organization-wide.
Ransomware Ecosystem Expands with New Services
New threats like PlayBoy Locker RaaS and the rise of groups like DragonForce are driving ransomware-as-a-service (RaaS) into more accessible, customizable platforms. DragonForce, originally a pro-Palestine hacktivist group, has transformed into a ransomware cartel, powering attacks on major U.K. retailers.
Their white-label service allows affiliates to rebrand ransomware strains and take 80% of any ransom payment. The group provides infrastructure, malware, and ongoing support, streamlining operations for cybercriminals.
Cybersecurity firm Bitsight reports a 25% increase in ransomware attacks in 2024, with smaller, nimble groups now targeting mid-sized businesses. With 53% more leak sites online, threat actors are outpacing law enforcement efforts and expanding their reach.
