Ransomware Attackers Leveraged Privilege Escalation Zero-day www.security.com/threat-in…

Exploit used by Play-linked attackers targets the CVE-2025-29824 zero-day vulnerability patched on April 8. Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025.

Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation. Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks. The group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe.