Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
May 07, 2025
Ransomware / Endpoint Security
Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States. The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824 , a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by Microsoft last month. Play , also called Balloonfly and PlayCrypt, is known for its double extortion tactics, wherein sensitive data is exfiltrated prior to encryption in exchange for a ransom. It's active since at least mid-2022. In the activity observed by Symantec, the threat actors are said to have likely leveraged a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point, taking advantage of an as-yet-undetermined method to move to another Windows machine on the target network. The attack is notable for the use of Grixba , a bespoke information stealer previously attr...