Intrusions exploiting the recently addressed Windows Common Log File System Driver zero-day vulnerability, tracked as CVE-2025-29824, have been deployed by the Play ransomware gang, also known as Balloonfly or PlayCrypt, against a U.S. organization, The Hacker News reports.
Initial access through a public Cisco Adaptive Security Appliance allowed Play ransomware attackers to deploy both the Grixba information-stealing payload and CVE-2025-29824 exploit, with the latter concealed by spoofing Palo Alto Networks software, according to findings from Symantec. Execution of the exploit facilitates the creation of a pair of files within the C:\ProgramData\SkyPDF path, with the first Common Log File System file serving as an artifact and the second DLL file enabling the delivery of two other batch files. While the first batch file allows privilege escalation, the other removes evidence of compromise, said researchers, who noted that the latest attacks were not associated with previous CLFS bug exploitation by the Storm-2460 threat operation.
Initial access through a public Cisco Adaptive Security Appliance allowed Play ransomware attackers to deploy both the Grixba information-stealing payload and CVE-2025-29824 exploit, with the latter concealed by spoofing Palo Alto Networks software, according to findings from Symantec. Execution of the exploit facilitates the creation of a pair of files within the C:\ProgramData\SkyPDF path, with the first Common Log File System file serving as an artifact and the second DLL file enabling the delivery of two other batch files. While the first batch file allows privilege escalation, the other removes evidence of compromise, said researchers, who noted that the latest attacks were not associated with previous CLFS bug exploitation by the Storm-2460 threat operation.
