Microsoft has warned users about the emergence of a dangerous fake: an application is spreading on the Internet that pretends to be the official ChatGPT Desktop App, but in fact infects computers with the PipeMagic virus.
Microsoft has warned users about the emergence of a dangerous fake: an application is spreading on the Internet that pretends to be the official ChatGPT Desktop App, but in fact infects computers with the PipeMagic virus.
As TechRadar reports, the company notes in its investigation that the attack starts with a modified project on GitHub, where instead of the original program, the user receives an infected version. Inside it is a hidden tool capable of decrypting and running a malicious payload in memory without saving files to disk.
PipeMagic is associated with the Storm-2460 group, which Microsoft had already tracked in the spring of 2025. At that time, the attackers used a zero-day vulnerability in the Common Log File System (CVE-2025-29824) to spread the RansomEXX ransomware. Now, the tool has evolved from a simple Trojan to a full-fledged modular framework.
The new version of PipeMagic can perform dynamic loads, collect system information, elevate user privileges, execute arbitrary code, and silently exchange encrypted data via named pipes. In addition, the backdoor is able to update itself by receiving new modules directly from the control servers.
Microsoft says the number of affected companies is currently limited. Targets include companies in the US, Europe, Latin America and the Middle East, mainly in the IT, financial and real estate sectors. However, the company warns that even a small scale infection is dangerous, given the potential of the modular framework.
To minimize the risks of infection, experts advise using multi-layered protection: activate the tamper protection feature in Microsoft Defender, run endpoint detection and response in blocking mode, and carefully check the origin of programs before downloading them.
PipeMagic is another example of how the popularity of AI services, in particular ChatGPT, is being used as a «bait» by cybercriminals. According to analysts’ research, fake applications and fake updates are becoming the most common way to infect corporate systems. This threat is especially relevant for Ukraine, as cyberattacks often become part of broader information and hybrid operations.
We also recently wrote about how the Anubis hacking group, behind one of the newer ransomware-as-a-service (RaaS) services, implemented a module into its malware that not only encrypts files, but also completely destroys their contents.
