Play Ransomware Group Exploits Windows CLFS Zero-Day Vulnerability

Threat actors associated with the Play ransomware group exploited a zero-day vulnerability in Microsoft Windows to target an unnamed U.S. organization, the Hacker News reports.

The flaw, CVE-2025-29824, affects the Common Log File System (CLFS) driver and allows for privilege escalation. Though it was patched by Microsoft recently, the attackers used it before the fix was released.

The attackers likely gained initial access through a public-facing Cisco ASA device and then moved laterally within the network. They deployed “Grixba,” a custom info-stealer tied to Play ransomware, and disguised malware files as Palo Alto Networks software in the Music folder. The attackers also ran commands to map out machines within Active Directory, saving results to a CSV file.

Two key files were created during exploitation: PDUDrv.blf, a CLFS log artifact, and clssrv.inf, a malicious DLL injected into winlogon.exe that drops two batch files. One script, servtask.bat, escalates privileges, dumps sensitive Registry hives, creates a new admin user “LocalSvc,” and adds it to the Administrator group. The other, cmdpostfix.bat, removes traces of the intrusion.

Although no ransomware was deployed, the attack shows the increasing use of zero-days by ransomware operators. Researchers noted the exploit may have circulated among multiple threat actors prior to Microsoft’s patch, reinforcing the need for rapid vulnerability management.

Takeaway: Let’s be clear, this isn’t your old-school ransomware playbook anymore. The attack leveraging a zero-day vulnerability is yet another sign that ransomware operators are playing at a much higher level now.  

These crews aren’t just repurposing commodity malware, they’re reinvesting their ransom profits to hire serious dev talent, and the result is a growing list of custom tools, faster encryption routines, and increasingly stealthy data exfiltration techniques.

A few years ago, seeing a ransomware group drop a zero-day would’ve been shocking. That kind of capability was usually reserved for nation-state operators running surgical missions. But now? It’s becoming part of the standard toolkit for top-tier ransomware crews.  

They’re not just automating vulnerability scanning, they’re building bespoke exploits and chaining them with living-off-the-land techniques to quietly move through networks, escalate privileges, exfiltrate sensitive data, and avoid detection. This is adversary innovation in motion.

The fact that a ransomware actor weaponized an unpatched privilege escalation bug and potentially shared it across multiple crews should be a wake-up call.  

We used to deal with brute-force tactics and sloppy phishing campaigns. Today’s threats are leaner, smarter, and more calculated. If defenders are still stuck thinking ransomware is just a clumsy smash-and-grab, they’re going to get blindsided.  

The game has changed. It’s time for defenders to start playing by the new rules.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.