Attack Deep Dive: CPUID Supply Chain Breach — STX RAT via Trojanized CPU-Z & HWMonitor

01

What Happened — The Incident

// Full Attack Chain (Confirmed)

Apache CVE
Initial Access
(Probable)

CPUID API
Compromise
~6 hrs

Download Page
Redirected to
R2 Bucket

CRYPTBASE.dll
Sideloaded via
DLL Search Order

5-Stage
In-Memory
Unpack Chain

STX RAT
Deployed +
Credentials Stolen

welcome[.]supp0v3
[.]com C2
Beacon

CPUID is the developer behind CPU-Z and HWMonitor — free diagnostic utilities used by tens of millions of PC enthusiasts, IT professionals, system administrators, and OEM hardware vendors globally. Between April 9, 2026 at approximately 15:00 UTC and April 10, 2026 at approximately 10:00 UTC — a window of roughly 19 hours — the official CPUID download page was compromised.

According to CPUID contributor Samuel Demeulemeester (Doc TB), who acknowledged the breach publicly on X: "A secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed."

⚠ Scope of Impact All of the following CPUID products were affected during the breach window: CPU-Z v2.19, HWMonitor v1.63, HWMonitor Pro v1.57, and PerfMonitor 2 v2.04. Malware researcher Giuseppe Massaro additionally identified PowerMAX as affected. Kaspersky identified 150+ confirmed victims across individuals and organizations in retail, manufacturing, consulting, telecommunications, and agriculture. Primary infection geography: Brazil, Russia, China.

The download links were poisoned via the compromised API to redirect to attacker-controlled infrastructure — specifically Cloudflare R2 storage buckets and several other attacker-controlled domains. The original CPUID signed binaries were never modified; the attack lived entirely in the redirect chain and the malicious packages served from external infrastructure.

Community detection began when Reddit user DMkiIIer posted to r/pcmasterrace after downloading what appeared to be HWMonitor 1.63 and receiving a VirusTotal-flagged file named "HWiNFO_Monitor_Setup.exe" with a Russian-language installer. The post quickly gained traction, and tech creator Chris Titus Tech (@christitustech) amplified it with the warning "Millions about to be PWNED!" — triggering rapid community and vendor response. The timing of the attack was notable: CPUID founder Franck Delattre was on leave, and Demeulemeester had been working on Memtest86+ through the night when the breach was discovered.

02

Campaign Timeline — 10-Month Operation

📊 Breakglass Intelligence Attribution Breakglass Intelligence traces the operation back to July 2025 — a 10-month arc from first known sample to the CPUID compromise. The actor progressively targeted higher-value software distribution points with the same infrastructure and technique chain.

Jul 2025

Campaign Begins — superbad.exe

Earliest known sample communicating with C2 address 95[.]216[.]51[.]236:31415. Breakglass Intelligence assesses this as the operational start of a 10-month campaign.

Breakglass

Oct 29, 2025

supp0v3[.]com Registered

Staging domain welcome[.]supp0v3[.]com registered via CNOBIN, a Chinese domain registrar operating out of Hong Kong, known for minimal verification requirements.

Breakglass

Feb–Mar 2026

Fake FileZilla Campaign

Same threat actor distributes STX RAT via fraudulent FileZilla FTP installer hosted on filezilla-project[.]live (a typosquat of the legitimate filezilla-project.org). The version.dll sideloading payload called the identical C2: 95[.]216[.]51[.]236:31415. Documented by Malwarebytes and eSentire TRU.

eSentire Malwarebytes

Apr 3, 2026

Earliest Trojanized File Seen (per VirusTotal)

A Reddit user noted VirusTotal showed the compromised HWiNFO_Monitor_Setup.exe was first seen on 2026-02-11 on VT; however Breakglass dates the CPUID-specific download link compromise to April 3, 2026 based on infrastructure staging activity.

Reddit Breakglass

Apr 9, ~15:00 UTC

Breach Window Opens — Reddit First Report (~21:00 UTC)

Kaspersky confirms download URLs poisoned starting 15:00 UTC. First community report surfaces approximately 9 PM UTC from Reddit user DMkiIIer describing a Russian-language installer and Defender alert. Chris Titus Tech amplifies to 1.6M+ X impressions.

Kaspersky vx-underground Reddit

Apr 9–10, 2026

Active Breach Window — Malicious Downloads Served

CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor download links redirect to attacker R2 buckets and other malicious domains. Community members report Cloudflare R2 buckets to abuse@cloudflare.com — CF adds restrictions to flagged URLs.

Kaspersky CYDERES

Apr 10, ~10:00 UTC

CPUID Detects & Remediates — Doc TB Statement

Samuel Demeulemeester detects the breach, restores download links, puts everything read-only pending investigation. Publicly acknowledges on X. Confirms breach limited to approximately 6 hours. Downloads verified clean by Kaspersky by ~10:00 UTC.

CPUID / X Kaspersky

Apr 10–12, 2026

Multi-Vendor Analysis Published

Kaspersky, CYDERES Howler Cell, eSentire TRU (STX RAT original documentation), and vx-underground publish technical analyses. 150+ victims identified. Breakglass Intelligence maps the full 10-month campaign arc.

Kaspersky CYDERES eSentire Breakglass

Apr 13, 2026

Symantec & Broadcom Protection Bulletin Published

Symantec publishes protection bulletin confirming detection coverage (Trojan Horse, Trojan.Gen.MBT, WS.Malware.1, SONAR.TCP!gen1, Heur.AdvML variants). THN and Help Net Security publish consolidated coverage.

Symantec THN HNS

03

Technical Deep Dive — Infection Chain

Probable Initial Access — Apache CVE-2024-38475

Breakglass Intelligence noted that cpuid.com runs Apache 2.4.59/2.4.66, versions affected by 34 known CVEs. The most probable candidate for initial access is CVE-2024-38475 — an Apache HTTP Server mod_rewrite path traversal vulnerability that allows an attacker to map URLs to filesystem locations not intended to be served, potentially exposing server-side scripts or CMS backend configuration. With write access to the CMS backend, the attacker could modify download links to point to the Cloudflare R2 staging bucket.

⚠ Confidence: Moderate This is assessed as the most likely initial access vector based on the server's Apache version fingerprint and the alignment between the vulnerability's attack surface (URL-to-filesystem remapping) and the observed compromise (download link redirection rather than full server takeover). Not directly confirmed. No other entry point was identified.

Malicious Delivery Infrastructure

The compromised CPUID download page redirected users to the following attacker-controlled domains. All were confirmed by Kaspersky's analysis:

hxxps://cahayailmukreatif.web[.]id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/ [multiple paths — CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor] hxxps://transitopalermo[.]com/config/hwmonitor/ [multiple files] hxxps://vatrobran[.]hr/en-GB/info/ [multiple files] hxxp://pub-fd67c956bf8548b7b2cc23bb3774ff0c[.]r2[.]dev/hwmonitor_1[.]63[.]zip [CYDERES-identified]

Stage 1 — Trojanized Inno Setup Installer

The malicious package, distributed as both a ZIP archive and a standalone installer (e.g., HWiNFO_Monitor_Setup.exe), contained two components: a legitimate signed CPUID executable for the corresponding product and a malicious DLL named CRYPTBASE.dll. An immediate red flag noted by community researchers: the Inno Setup installer presented Russian-language dialogs — CPUID is a French company.

CYDERES confirmed the malicious CRYPTBASE.dll carries a timestomped compilation timestamp set to 2077-08-31 05:16:43 — a deliberate artifact to hinder timeline analysis and forensic correlation.

Stage 2 — DLL Sideloading via CRYPTBASE.dll

Windows DLL search order means that when HWMonitor_x64.exe (or any CPUID executable) launches, Windows searches the application's own directory before system directories. Since the malicious CRYPTBASE.dll is placed in the same directory as the legitimate executable, it is loaded first — sideloading the attacker's DLL without any explicit exploit. CRYPTBASE.dll is also the name of a legitimate Windows system library, making this a living-off-the-land technique that bypasses application whitelisting trusting the signed parent.

⚡ Important: Only 64-bit Affected CYDERES Howler Cell confirmed that only the 64-bit version (HWMonitor_x64.exe) is affected in this attack due to the DLL search order behavior. The 32-bit variant does not sideload CRYPTBASE.dll from the application directory in the same way.

Upon execution within DllMain, the malware spawns a separate thread which initiates an additional thread responsible for executing the primary malicious payload — this multi-threaded approach is used to release the loader lock. Concurrently, it loads the legitimate cryptbase.dll from System32 and returns TRUE to prevent a deadlock condition, ensuring the target application appears to function normally.

C2 Pre-Check & Campaign Registration

Before initiating the unpacking chain, the malware sends JSON-formatted victim metadata to the hardcoded C2 domain welcome[.]supp0v3[.]com for victim tracking. The configuration embedded in the DLL includes campaign tags. CYDERES identified four active campaign tags and two referrer values:

C2 Callback JSON — Campaign Metadata// CPU-Z victim:
{
  "hello": {
    "tag": "tbs",         // Active tags: tbs | tbs2 | tbs3 | snip
    "referrer": "cpz",   // CPU-Z victims = "cpz"
    "callback": "hxxps://welcome.supp0v3[.]com/d/callback"
  }
}

// HWMonitor victim:
{
  "hello": {
    "tag": "tbs",
    "referrer": "monitor3",  // HWMonitor victims = "monitor3"
    "callback": "hxxps://welcome.supp0v3[.]com/d/callback"
  }
}

Five-Stage In-Memory Unpacking Chain

After the malicious DLL is sideloaded, it initiates a five-stage unpacking chain. Each stage decrypts and reflectively loads the next — entirely in memory. This produces zero on-disk artifacts after Stage 1, making forensic recovery and static detection extremely difficult. CYDERES Howler Cell documented the complete chain:

S1

CRYPTBASE.dll — Inno Setup Installer (on-disk)

Timestomped to 2077. Spawns thread to release loader lock, loads legitimate cryptbase.dll from System32, initiates payload thread. Sends initial C2 beacon with campaign metadata.

S2

In-Memory Shellcode Stub — Reflective PE Loader

Compact shellcode that locates the entry point of the reflective PE loader. Entirely in memory. SHA-256: 1331f19c6732fca81f32c4cec9f89abf26371ed9d3665954f491c89e2c55e5bb

S3

Reflective PE — Resource Section Decryption

After the PE is mapped into memory, it unpacks Stage 4 by XOR-decrypting data embedded in the resource section. XOR key: 53 F4 49 91 8C E5 D9 9B 3A CE 62 5F 80 40 7B 30. SHA-256: 116d806a5ca6f34fdd04061499daca9a352feb2e3f291c7ef3e5d470fe875f7f

S4

Reflective DLL — Same XOR + Bitwise Manipulation

Functions as a reflectively loaded DLL. Once mapped, unpacks Stage 5 using the same XOR decryption and bitwise manipulation routine. SHA-256: a70645f46eee6d765c54ba4a5c48166bd83bcfbc7771a82be9ed48ab4871ebfa

S5

STX RAT — Final Payload

Core malware binary with full RAT + infostealer capabilities. Contacts welcome[.]supp0v3[.]com C2. SHA-256: 52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6

🔬 vx-underground Assessment "This malware is deeply trojanized, distributes from a compromised domain, performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload. The ultimate goal of this malware is data theft, specifically browser credentials. Overall I give this malware a B-."

04

STX RAT — Payload Analysis (eSentire TRU)

STX RAT was first documented by eSentire's Threat Response Unit (TRU) on April 8, 2026, after observing an attempted delivery in a customer environment in the Finance industry in late February 2026. The name derives from its use of the Start of Text (STX) magic byte "\x02" prefixed to all C2 messages. The malware's FileZilla campaign vector was separately documented by Malwarebytes in early March 2026.

Packing & String Obfuscation

The packer is characterized by two exports named "init" and "run", with XXTEA decryption / Zlib decompression on a byte array in the .DATA section. Following tail jumps is effective for unpacking the core payload.

Strings are obfuscated via two mechanisms: (1) rolling XOR-encoding where the key index advances per byte and wraps at a predefined modulus — for example, key starting at 0x39, incrementing, wrapping at 0x6C — and (2) AES-128-CTR encryption via CryptDecrypt API, stored in a table with the structure: AES key (16 bytes) + nonce (5 bytes) + ciphertext length (DWORD) + ciphertext. Strings are decrypted on demand and deleted from memory immediately after use.

Anti-VM / Anti-Analysis

STX RAT performs extensive pre-execution checks. On detection of any virtualization artifact, the malware jitter-exits (sleeps with a randomized delay and exits). Hypervisors checked include:

VirtualBox (HKLM keys, files) VMware (registry + drivers) QEMU (VirtIO drivers) Parallels BIOS date: 06/23/99 check Process name must contain "powershell" or "msbuild" PEB BeingDebugged flag

AMSI Ghosting

The malware implements AMSI Ghosting — patching the Windows API rpcrt4!NdrClientCall3 to disable a core RPC layer that AMSI depends on, preventing security solutions from acting on AMSI telemetry. The window is also hidden from Alt+Tab and the Taskbar by targeting the "CASCADIA_HOSTING_WINDOW_CLASS" (Windows Terminal class name) and adding WS_EX_TOOLWINDOW.

C2 Protocol — Cryptographic Design

STX RAT's C2 protocol is sophisticated. Communication occurs over TCP (C2: 95[.]216[.]51[.]236:31415 — a non-standard port) with the following cryptographic stack:

Key Exchange

X25519 ECDH derives a per-session shared secret. C2 sends its X25519 public key + Ed25519 signature. Client verifies using hard-coded Ed25519 public key: 4DwvIfxy4thDpGXKYjew8MTI1jYwFEIs2oHuW35BtVM= (rolling XOR encoded). Prevents C2 spoofing.

Session Encryption

Shared secret → HKDF-SHA256 → 32-byte ChaCha20 key (no salt, empty info). All traffic encrypted with ChaCha20-Poly1305. Message format: [nonce₁₂ | ciphertext | poly1305_tag₁₆]. Framing: DWORD length + payload.

The introduction message sent to C2 includes: user_id, machine_id, hostname, username, OS, malware build version, architecture, admin status, PID, process path, server address, UTM campaign tracking (utm_group, utm_source from clipboard regex), RAM, and AV list. The C2 responds with either a get_creds command (triggers credential theft immediately) or an update command if the malware version is considered outdated. The C2 also supports: die, run, start_hvnc, start_tunnel, and full HVNC keyboard/mouse injection commands.

The malware also supports Tor as a fallback C2 via a custom Tor client implementation. Onion address: yu7sbzk2tgm4vv56qgvsq44wnwgct6sven4akbb2n3onp46f42fcstid.onion

Credential Theft Capabilities

🔑 Credential Theft is C2-Gated A critical evasion design: STX RAT's credential stealing functionality only activates after successfully connecting to its C2 server and receiving an explicit get_creds command. This means offline sandboxes or post-infrastructure-takedown analysis will observe no credential access behavior — a deliberate design to defeat automated behavioral analysis.

Target	Method / Detail	Impact
Chrome/Chromium browsers (Chrome, Edge, Brave, Vivaldi, Epic)	Cookie + password extraction; Chrome IElevation COM interface (CLSID-based) for DPAPI-protected vault; potential ABE bypass (not confirmed functional)	Full account takeover, MFA bypass via cookies
Firefox / SeaMonkey	Cookies and password store	Full credential dump
Windows Vault	VaultEnumerateVaults, VaultOpenVault, VaultEnumerateItems, VaultGetItem APIs	Windows credential store access
FileZilla	Regex match on .xml: (<Server>.?</Server>\|<LastServer>.*?</LastServer>)	FTP server credentials
WinSCP	Registry: Software\Martin Prikryl\WinSCP 2\Sessions	SFTP/SCP credentials
Cyberduck / iterate_GmbH	File regex: <setting> patterns	Cloud storage / FTP credentials
Desktop crypto wallets	Litecoin-Qt, Zcash, Electrum, Bitcoin-Qt, bytecoin	Direct financial loss
Desktop screenshot	BitBlt/GDI → base64 JPG → C2 (sent before credential exfil)	Victim desktop visibility for TA

Persistence Mechanisms

// Persistence Mechanisms (eSentire TRU)

HKCU Run → autorun.ps1: PowerShell script that decrypts payload from %LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.2.db, allocates RWE memory, executes in-memory. Fileless PowerShell execution via powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"
HKCU Run → MSBuild.exe: Launches MSBuild with a C# project file at C:\Users\User\AppData\Local\Microsoft\MSBuild\c_3791.proj containing C# code that allocates RWE memory, decrypts and executes STX RAT in-memory.
COM Object Hijacking via Scriptlet: Registry key (Default) set to script:C:\path\to\ActiveX.sct. When the COM object is instantiated, the Scriptlet engine loads ActiveX.sct with embedded JScript that launches autorun.ps1. Registry: HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\2\1.1\0\win64

05

Indicators of Compromise

Network IOCs

Indicator	Type	Context	Sev
95[.]216[.]51[.]236	C2 IP	Hetzner-allocated, Mynymbox Hosting LLC (Nevis, Caribbean). rDNS: 236.51.216.95.hosted-by.mynymbox.io. C2 since July 2025.	CRIT
95[.]216[.]51[.]236:31415	C2 IP:Port	Non-standard port. Full C2 endpoint. Same port reused across all campaigns.	CRIT
welcome[.]supp0v3[.]com	C2 / Staging Domain	Primary STX RAT C2. Registered Oct 29, 2025 via CNOBIN (HK). Used in FileZilla and CPUID campaigns.	CRIT
supp0v3[.]com	Parent Domain	Backend exposed on ai.supp0v3.com — uses stolen/self-signed VK.com wildcard cert with Russian locality (Saint Petersburg).	CRIT
filezilla-project[.]live	Campaign Domain	Typosquat of filezilla-project.org. Used in March 2026 FileZilla campaign by same actor.	CRIT
yu7sbzk2tgm4vv56qgvsq44wnwgct6sven4akbb2n3onp46f42fcstid.onion	Tor C2	STX RAT fallback C2 over Tor.	HIGH
rnetopera[.]org	Related Infra	Registration overlap with campaign domains (Breakglass).	HIGH
mymvm[.]ru	Actor Infra	Russian TLD. Confirms Russian-speaking operator. (Breakglass)	HIGH
justinstalledpanel[.]com	C2 Panel	Name suggests post-installation check-in panel. (Breakglass)	HIGH
147.45.178.61	IP	Download IP seen in initial stage. Also linked to .url shortcut exploits (CVE-2023-36025 SmartScreen bypass) targeting LibreOffice/Google Drive downloads. (eSentire / Massaro)	HIGH
cahayailmukreatif.web[.]id	Delivery Domain	Served HWiNFO_Monitor_Setup.exe (Kaspersky confirmed).	HIGH
transitopalermo[.]com	Delivery Domain	Multiple trojanized CPUID downloads. (Kaspersky confirmed)	HIGH
vatrobran[.]hr	Delivery Domain	Multiple trojanized CPUID downloads. (Kaspersky confirmed)	HIGH
pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev	Cloudflare R2 Bucket	Primary staging bucket. CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor all hosted here.	HIGH

File IOCs — Malicious DLLs (CRYPTBASE.dll)

SHA-256 / SHA-1	File	Source
9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984	CRYPTBASE.dll (40/75 VT)	Breakglass
a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286	CRYPTBASE.dll (on-disk)	CYDERES
24bbfcfea0c79f640a4eec99ffdae3ccd315786 (SHA-1)	CRYPTBASE.dll	Kaspersky
c65e515b9c9655c651c939b94574cf39b40a8be2 (SHA-1)	CRYPTBASE.dll	Kaspersky
3041a4e2bc5ccefbfd2222a9e23614fb79d6db63 (SHA-1)	CRYPTBASE.dll	Kaspersky
4e3195399a9135247e55781ad13226c6b0e86c0d (SHA-1)	CRYPTBASE.dll	Kaspersky
ba19e03ca03785e89010672d7e273ac343e4699a (SHA-1)	CRYPTBASE.dll	Kaspersky

File IOCs — Trojanized Installers (SHA-1)

SHA-1	Filename
d0568eaa55f495fd756fa205997ae8d93588d2a2	cpu-z_2.19-en.zip
02a53d660332c25af623bbb7df57c2aad1b0b91b	hwinfo_monitor_setup.exe
9253111b359c610b5f95ef33c2d1c06795ab01e9	HWMonitorPro_1.57_Setup.exe
2f717a77780b8f6b2d853dc4df5ed2b90a3a349a	hwmonitor-pro_1.57.zip
7c615ce495ac5be1b64604a7c145347adbcd900c	hwmonitor_1.63.zip
c417c3a4b094646d06a06103639a5c9faabc9ba4	hwmonitor_1.63.zip (alt)
8351a43a0c0455e4b0793d841fe12625f072f9b4	PerfMonitor2_Setup.exe
6a71656c289201f742787f48398056fcd2aa7274	perfmonitor-2_2.04.zip

File IOCs — STX RAT Stages (SHA-256, CYDERES)

SHA-256	Component
02db6764d1f13b837b0a525e5931bdbc67e7a2a4d071e849c7e087255d4a2d5b	HWMonitor_x64.exe (Legitimate — abused for DLL sideloading)
1331f19c6732fca81f32c4cec9f89abf26371ed9d3665954f491c89e2c55e5bb	Stage 2 (In-memory PE)
116d806a5ca6f34fdd04061499daca9a352feb2e3f291c7ef3e5d470fe875f7f	Stage 3 (In-memory PE)
a70645f46eee6d765c54ba4a5c48166bd83bcfbc7771a82be9ed48ab4871ebfa	Stage 4 (In-memory PE)
52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6	Stage 5 — STX RAT (final payload)
799b29f409578c79639c37ea4c676475fd88f55251af28eb49f8199b904a51f3	VBScript initial access (FileZilla campaign)

Detection Signatures

Snort / Suricataalert tcp $HOME_NET any -> 95.216.51.236 31415 (msg:"GHOST - CPUID/FileZilla Campaign C2 Callback"; flow:established,to_server; sid:2026040901; rev:1;)

YARA — CRYPTBASE.dll Sideloader (Breakglass)rule GHOST_CRYPTBASE_Sideloader {
    meta:
        description = "CRYPTBASE.dll sideloading payload from CPUID supply chain compromise"
        author = "Breakglass Intelligence"
        date = "2026-04-09"
        hash = "9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984"
    strings:
        $inno = "Inno Setup" ascii
        $cryptbase = "CRYPTBASE" ascii wide
        $ntdll_proxy = "ntdll.dll" ascii wide
        $dotnet = "_CorExeMain" ascii
        $c2_port = { 31 34 31 35 } // "1415" ascii (part of port 31415)
    condition:
        uint16(0) == 0x5A4D and 3 of them
}

YARA — STX RAT Unpacked (eSentire TRU)rule STXRat {
    meta:
        author = "YungBinary"
        description = "Detection for unpacked STX RAT in memory"
    strings:
        $s2 = {  // AMSI ghosting
            48 8D 05 ?? ?? ?? ??
            66 C7 45 ?? 48 B8 [0-6]
            48 89 45 ?? 48 8D 55 ??
            66 C7 45 ?? FF E0
        }
        $s3 = {  // Debugger check
            65 48 8B 04 25 60 00 00 00
            80 78 02 01
        }
        $s8 = {  // X25519 clamping
            80 61 1F 3F 80 49 1F 40 80 21 F8
        }
        $s4 = "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" ascii
    condition:
        uint16(0) == 0x5a4d and (4 of ($s*))
}

06

Detection & Response — Defender Perspective

// Endpoint Detection — Priority Hunts (MDE / EDR)

Primary pivot: Alert on CRYPTBASE.dll loaded from any non-System32/SysWOW64 directory. This is the single most reliable detection point — it fires before any C2 connection or credential access and is not present in legitimate software.
Hunt for HWMonitor_x64.exe, CPU-Z.exe, or any CPUID executable spawning unexpected child processes — PowerShell, cmd.exe, wscript.exe, msbuild.exe, or .NET CLR host processes.
Detect reflective PE loading patterns: memory allocation with PAGE_EXECUTE_READWRITE (VirtualAlloc + WriteProcessMemory) not corresponding to a legitimate loaded module.
Alert on any process accessing Chrome's IElevation COM interface outside legitimate browser processes — this is STX RAT's Chrome credential vault attack path.
Flag NTDLL proxying via .NET assemblies loading fresh NTDLL copies from disk (EDR hook bypass technique).
Detect AMSI bypass activity: patching of rpcrt4!NdrClientCall3 — monitor for unusual write operations to this function's memory region.
Hunt for HKCU Run entries pointing to autorun.ps1, cversions.2.db, or MSBuild project files in %LOCALAPPDATA%\Microsoft\MSBuild\ — these are STX RAT persistence artifacts.
Hunt for COM object hijacking at HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\2\1.1\0\win64 with a scriptlet (SCT) value.

        KQL · MDE · Sentinel — CRYPTBASE Sideloading
// Hunt for CRYPTBASE.dll loaded from non-system directories
DeviceImageLoadEvents
| where FileName =~ "cryptbase.dll"
| where FolderPath !startswith @"C:\Windows\System32"
| where FolderPath !startswith @"C:\Windows\SysWOW64"
| project Timestamp, DeviceName, InitiatingProcessFileName,
         InitiatingProcessFolderPath, FolderPath, SHA256
| order by Timestamp desc
      

        KQL · MDE · Sentinel — C2 Network Detection
// Detect known STX RAT C2 infrastructure
DeviceNetworkEvents
| where RemoteUrl has_any (
    "supp0v3.com", "95.216.51.236",
    "filezilla-project.live", "mymvm.ru",
    "justinstalledpanel.com", "rnetopera.org"
  )
  or RemoteIP == "95.216.51.236"
  or (RemoteIP == "147.45.178.61")
| project Timestamp, DeviceName, InitiatingProcessFileName,
         RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
      

        KQL · MDE — Trojanized CPUID Installer Hunt
// Hunt for trojanized CPUID download artifacts — April 9-10 2026 window
DeviceFileEvents
| where Timestamp between (datetime(2026-04-03) .. datetime(2026-04-11))
| where FileName in~ (
    "HWiNFO_Monitor_Setup.exe", "hwinfo_monitor_setup.exe",
    "cpu-z_2.19-en.zip", "hwmonitor_1.63.zip"
  )
  or (FileName startswith "hwmonitor" and FolderPath has "Downloads")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc
      

        KQL · MDE — STX RAT Persistence Detection
// Hunt for STX RAT persistence mechanisms
DeviceRegistryEvents
| where RegistryKey has @"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
| where RegistryValueData has_any (
    "autorun.ps1", "cversions.2.db", "MSBuild", ".proj"
  )
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| union (
  DeviceRegistryEvents
  | where RegistryKey has "EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B"
  | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
)
| order by Timestamp desc
      

Symantec / Broadcom Detection Coverage

✅ Symantec Protection Confirmed (Apr 13, 2026) Adaptive: ACM.Ps-Rd32!g1 | Behavior: SONAR.TCP!gen1 | File: Trojan Horse, Trojan.Gen.MBT, Trojan.Gen.NPE, PUA.Gen.2, WS.Malware.1, WS.SecurityRisk.3 | ML: Heur.AdvML.A!300/400/500, Heur.AdvML.B!100/200 | Carbon Black: block all malware types (Known, Suspect, PUP) + delay execution for cloud scan.

// IR Actions If Compromise Confirmed

Isolate the endpoint immediately — STX RAT establishes persistent access via three separate persistence mechanisms and may have already exfiltrated browser credentials and screenshots.
Revoke and rotate ALL saved browser passwords — Chrome, Edge, Firefox, and Brave credential stores should be treated as fully compromised. Enable/force re-authentication on all saved accounts.
Invalidate active session cookies — STX RAT explicitly steals session cookies to bypass MFA. Force session invalidation on critical accounts (email, banking, cloud services).
Check for crypto wallet files at %APPDATA%, %USERPROFILE%\Documents — Litecoin-Qt, Zcash, Electrum, Bitcoin-Qt, bytecoin are all targeted. Notify the user immediately.
Check FileZilla, WinSCP, and Cyberduck credential stores — if the affected user has FTP/SFTP access to production infrastructure, treat those credentials as compromised.
Review DNS and proxy logs for connections to: supp0v3[.]com, 95.216.51.236, 147.45.178.61, mymvm.ru, justinstalledpanel.com, rnetopera.org.
Confirm breach window: Ask specifically whether the user downloaded any CPUID software (HWMonitor, CPU-Z, HWMonitor Pro, PerfMonitor) between April 3 and April 10, 2026.
Check for STX RAT persistence artifacts: autorun.ps1 in Run keys, cversions.2.db in AppData, MSBuild project files in %LOCALAPPDATA%\Microsoft\MSBuild\, COM hijack at the TypeLib registry path.
For reinstallation: verify file hash against Kaspersky's confirmed clean list before executing any CPUID software. Direct users to direct file URLs with hash verification rather than the main download page.

07

MITRE ATT&CK Mapping

Initial Access

T1195.002

Supply Chain Compromise — Software Distribution Utilities (cpuid.com download links)

Initial Access

T1190

Exploit Public-Facing Application — Probable Apache CVE-2024-38475 mod_rewrite path traversal

Execution

T1204.002

User Execution: Malicious File — Trojanized installer run by user

Execution

T1106

Native API — VirtualAlloc, CreateThread, WriteProcessMemory for in-memory execution

Persistence

T1574.002

DLL Side-Loading — CRYPTBASE.dll / version.dll sideloading via Windows DLL search order

Persistence

T1546.015

Event Triggered Execution: COM Hijacking — TypeLib COM object hijacked via scriptlet (ActiveX.sct)

Defense Evasion

T1055

Process Injection — Reflective PE loading across 5 in-memory stages

Defense Evasion

T1620

Reflective Code Loading — In-memory execution with no intermediate disk writes

Defense Evasion

T1027.002

Software Packing — XXTEA + Zlib multi-stage in-memory unpacking; AES-128-CTR string encryption

Defense Evasion

T1070.006

Indicator Removal: Timestomp — CRYPTBASE.dll compilation timestamp set to 2077

Defense Evasion

T1497

Virtualization/Sandbox Evasion — Anti-VM checks (VirtualBox, VMware, QEMU), anti-debug PEB flag

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools — AMSI Ghosting via rpcrt4!NdrClientCall3 patch

Credential Access

T1555.003

Credentials from Web Browsers — Chrome IElevation COM, Firefox credential stores, Windows Vault

Credential Access

T1539

Steal Web Session Cookie — Browser session cookie theft enabling MFA bypass

Command & Control

T1571

Non-Standard Port — C2 on TCP 31415

Command & Control

T1090.003

Proxy: Multi-hop Proxy — Tor C2 fallback via custom onion client implementation

Exfiltration

T1041

Exfiltration Over C2 Channel — Credentials, screenshots, host metadata all exfil via C2 JSON

Resource Development

T1608.001

Stage Capabilities: Upload Malware — Cloudflare R2 bucket as malware staging infrastructure

08

Actor Profile — Breakglass Intelligence

Attribute	Assessment	Confidence
Language	Russian-speaking (Inno Setup installer dialogs, mymvm[.]ru domain, Russian locality in VK.com certificate on backend)	HIGH
Registrar	CNOBIN (Chinese registrar, Hong Kong) for supp0v3[.]com — minimal verification requirements, common among threat actors	HIGH
Hosting	Mynymbox Hosting LLC (Nevis, Caribbean) for C2 server — bulletproof offshore jurisdiction, limited LEA cooperation. rDNS: 236.51.216.95.hosted-by.mynymbox[.]io	HIGH
Operational Pattern	Supply chain compromise of trusted software distributors (FileZilla, CPUID). Prior activity: CVE-2023-36025 SmartScreen bypass campaigns targeting LibreOffice/Google Drive.	HIGH
Technical Capability	DLL sideloading, NTDLL unhooking, reflective PE loading, XXTEA/Zlib packing, X25519/Ed25519/ChaCha20-Poly1305 C2 crypto, HVNC, AMSI Ghosting — above average for financially motivated actors	HIGH
OPSEC Capability	LOW — reused identical C2 IP:port and domain from March 2026 FileZilla campaign. This single OPSEC failure enabled rapid cross-campaign attribution and detection. Kaspersky explicitly called this "the gravest mistake."	HIGH
Motivation	Likely financially motivated — broad targeting of popular utility software used by IT professionals with high-value credentials. Consistent with credential broker or IAB operations.	MOD
State Affiliation	No evidence of state sponsorship. Infrastructure pattern (Russian-speaking operator, Chinese registrar, Caribbean hosting) is consistent with deliberate jurisdictional fragmentation by a private financially-motivated actor.	MOD
Campaign Duration	At least 10 months (July 2025 – April 2026, based on earliest known sample superbad.exe). Earlier activity may exist.	MOD

🌐 Trilateral Infrastructure Pattern Breakglass Intelligence documents what it calls a "trilateral infrastructure pattern" used by this actor: Russian language/cultural artifacts → Chinese domain registrar → Caribbean offshore hosting. This deliberate fragmentation across three jurisdictions with limited mutual legal assistance makes coordinated law enforcement action significantly more complex. The actor maintains a consistent playbook but has poor OPSEC at the C2/infrastructure reuse level.

09

Analyst Verdict

Threat Severity

88%

Malware Sophistication

85%

Detection Difficulty

80%

Actor OPSEC Quality

28%

Scope / Impact Potential

78%

Target Value (IT/SysAdmin)

93%

// Analyst Commentary

This attack is textbook supply chain — and the most instructive part isn't the malware sophistication, it's the targeting logic. CPUID's tools aren't consumer entertainment software. The people downloading HWMonitor and CPU-Z are IT administrators diagnosing production servers, security engineers running forensic workstations, and OEM vendors qualifying hardware. These are exactly the people with the highest-value credentials, the most privileged system access, and the broadest network footprint. A successful STX RAT infection on a sysadmin laptop is not a single endpoint compromise — it's a potential pivot into every system that sysadmin can reach.

The malware itself is genuinely sophisticated in its cryptographic design: X25519 ECDH key exchange, Ed25519 server authentication, ChaCha20-Poly1305 session encryption, Tor fallback, AMSI Ghosting, reflective loading, timestomped DLLs, and credential theft gated by C2 command to defeat offline sandboxing. For a financially-motivated actor, this level of care in the payload is notable. The actor earned a "B-" from vx-underground, which is a fair assessment — strong on evasion, weak on OPSEC.

The OPSEC failure that ended the campaign was elementary: reusing the identical C2 IP address and port (95.216.51.236:31415) from the March 2026 FileZilla campaign. This single mistake enabled Kaspersky, Breakglass, and CYDERES to rapidly attribute the CPUID compromise to the same actor, cross-correlate a 10-month campaign, identify the staging domain, and achieve detection within hours of the breach window. Kaspersky's observation is worth noting: this failure "made it possible to detect the watering hole compromise as soon as it started."

For defenders: The primary KQL hunt is the CRYPTBASE.dll sideloading query from Section 6. Run it today if your environment has any CPUID software. The DLL sideload is the only moment in the chain with a reliable on-disk indicator — once that fires, everything else is in memory. Your window to catch it cleanly is narrow. Beyond that, prioritize STX RAT persistence artifact hunts (autorun.ps1, cversions.2.db, MSBuild .proj files, COM hijack registry key) and check DNS logs for any of the infrastructure domains listed in Section 5.