Monday , July 13 2026
Play Ransomware

CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day

Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025.

Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks. The group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe.

Attack analysis:

The initial infection vector may have been a public facing Cisco ASA firewall. The attackers moved by unknown means to another, Windows machine on the targeted network.

During the attack, the Balloonfly operators deployed a variety of samples and hacktools in addition to the Grixba infostealer and the exploit for CVE-2025-29824 on this machine. Some of the samples aren’t available to us at the moment of writing, but they were located in the Music folder with suspicious names masquerading as Palo Alto software (paloaltoconfig.exe, paloaltoconfig.dll) or, for example, 1day.exe.

To gather information on all the available machines in the victims’ Active Directory, the attackers executed the following command and saved the output to C:\Users\[REDACTED]\Music\AllWindows.csv file.

powershell Import-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select comment, description, Name, DNSHostName, OperatingSystem, LastLogonDate, ipv4address | Export-CSV C:\Users\[REDACTED]\Music\AllWindows.csv -NoTypeInformation -Encoding UTF8

Exploitation by multiple actors:

The exploit (or similar exploits) may have been in the hands of multiple actors prior to the patching of CVE-2025-29824. When patching the vulnerability, Microsoft said that it had been exploited against a “small number of targets,” including organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft said that the exploit had been deployed by the PipeMagic malware, which is often used by a group called Storm-2460 to deploy ransomware.

The nature of the exploitation by Storm-2460 appears different from the Balloonfly-linked activity discovered by Symantec. Microsoft said that the exploit had been launched in memory from a dllhost.exe process. The exploitation discovered by Symantec was not fileless.

Rare ransomware zero-day:

While the use of zero-day vulnerabilities by ransomware actors is rare, it is not unprecedented. Last year Symantec found evidence that attackers linked to the Black Basta ransomware may have been exploiting a recently patched Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day.

That vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day.

Source: Symentec

Check Also

CrowdStrike

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI …