The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a limited number of attacks and patched during last month’s Patch Tuesday.
“The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft said in April.
Microsoft linked these attacks to the RansomEXX ransomware gang, saying the attackers installed the PipeMagic backdoor malware, which was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and ransom notes after encrypting files.
Since then, Symantec’s Threat Hunter Team has also found evidence linking them to the Play ransomware-as-a-service operation, saying the attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a U.S. organization’s network.
“Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation,” Symantec said.
“Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.”
The Grixba custom network-scanning and information-stealing tool was first spotted two years ago, and Play ransomware operators typically use it to enumerate users and computers in compromised networks.
The Play cybercrime gang surfaced in June 2022 and is also known for double-extortion attacks, in which its affiliates pressure victims into paying ransoms to avoid having their stolen data leaked online.
In December 2023, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC), warning that the Play ransomware gang had breached the networks of around 300 organizations worldwide as of October 2023.
Previous notable Play ransomware victims include cloud computing company Rackspace, car retailer giant Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and, more recently, American semiconductor supplier Microchip Technology and doughnut chain Krispy Kreme.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
