URGENT: CPU-Z Official Site Compromised – Malware Distributed via Trusted Domain – Full Technical Analysis & Defense Guide + Video

Listen to this Post

Featured Image

Introduction:

The legitimate software supply chain is under active attack: cpuid[.]com, the official distribution point for the widely trusted CPU-Z hardware diagnostics tool, is currently serving malware. This is not a simple website defacement or adware redirect; it is a deep trojanization of a legitimate binary, distributed from a compromised high-authority domain, employing multi-stage, near-fileless execution and advanced EDR evasion via indirect syscall proxying through a .NET assembly. This campaign, linked to a threat group previously observed spoofing FileZilla installers in March 2026, underscores a shift toward living-off-the-land and memory-resident techniques that bypass traditional signature-based defenses.

Learning Objectives:

  • Identify indicators of compromise (IOCs) associated with trojanized CPU-Z installers and verify software integrity beyond digital signatures.
  • Implement monitoring for unusual .NET assemblies interacting with low-level Windows APIs and indirect syscall patterns.
  • Apply forensic and detection techniques to uncover fileless, in-memory malware execution and C2 communication.

You Should Know:

  1. Detecting Trojanized Software: Hash Verification & Source Validation

The compromised cpuid[.]com domain serves a modified installer that retains the original digital signature but executes malicious shellcode via DLL side-loading or memory patching. Do not trust a valid signature alone – attackers can sign malware using stolen certificates or abuse trusted binaries.

Step-by-step guide to verify software integrity:

On Windows (PowerShell):

Before executing any downloaded installer, compute its hash and compare with the vendor’s official reference hash (if published).

 Compute SHA-256 hash
Get-FileHash -Path "C:\Downloads\cpu-z_installer.exe" -Algorithm SHA256

Compute authenticode signature details
Get-AuthenticodeSignature -FilePath "C:\Downloads\cpu-z_installer.exe"

If the vendor does not provide hashes, cross-check against VirusTotal’s community submissions (but beware of first-seen timestamps). For advanced validation, use `sigcheck` from Sysinternals:

sigcheck -a -h C:\Downloads\cpu-z_installer.exe

Look for unusual section names (e.g., `.text` with high entropy) or unexpected imports like VirtualAlloc, CreateRemoteThread.

On Linux (for cross-platform analysis):

 Compute hash
sha256sum cpu-z_installer.exe

Check embedded strings for suspicious indicators
strings -n 8 cpu-z_installer.exe | grep -iE 'http|https|cmd|powershell|rundll32'

If the installer contains encoded PowerShell commands or references to non-standard domains, treat as malicious. Always download software directly from the official GitHub or verified mirrors with PGP signatures – never from third-party mirrors even if the domain looks legitimate.

2. Hunting .NET Assemblies That Proxy NTDLL Syscalls

The malware uses a .NET assembly to dynamically invoke indirect syscalls, bypassing user-mode hooks placed by EDRs. Typical benign .NET apps do not directly call `NtCreateFile` or `NtAllocateVirtualMemory` via manually mapped syscall stubs.

Step-by-step monitoring:

Enumerate loaded .NET assemblies and their methods (PowerShell):

Use Process Explorer (Sysinternals) to inspect a running process: View → Lower Pane View → DLLs. Look for unexpected `System.Reflection.Emit` or `System.Runtime.InteropServices` usage.

For automated detection, deploy a PowerShell script that checks processes for loaded `clr.dll` and then scans for suspicious API imports:

Get-Process | Where-Object { $<em>.Modules.ModuleName -contains "clr.dll" } | ForEach-Object {
$proc = $</em>
$modules = $proc.Modules
if ($modules.ModuleName -match "System.Management.Automation|Microsoft.CodeAnalysis") {
Write-Warning "Suspicious .NET assembly in $($proc.Name)"
}
}

Enable Sysmon Event ID 7 (Image Loaded):

Configure Sysmon to log loading of .NET assemblies:

<Sysmon>
<EventFiltering>
<ImageLoad onmatch="include">
<TargetFilename condition="end with">.dll</TargetFilename>
<CompanyName condition="begin with">Microsoft</CompanyName>
</ImageLoad>
</EventFiltering>
</Sysmon>

Then monitor for `clr.dll` being loaded into non-.NET native processes (e.g., notepad.exe, explorer.exe) – this indicates potential .NET injection.

Detect indirect syscall patterns:

Use API Monitor (rohitab.com) to hook `ntdll.dll` functions. Look for call stacks that bypass standard `kernel32.dll` → `ntdll.dll` → `syscall` and instead invoke syscalls directly from manually allocated memory. Alternatively, deploy a kernel callback (e.g., PsSetCreateProcessNotifyRoutine) to validate syscall origins – but for most defenders, EDR logs (e.g., Carbon Black, CrowdStrike) with “indirect syscall” detection rules are preferred.

3. Uncovering Fileless / In-Memory Execution Chains

The malware loads its payload entirely into memory without writing a dropper to disk. It likely uses process hollowing or atom bombing. To detect this, you must monitor for anomalous memory allocation and execution.

Step-by-step forensics:

Using Volatility 3 (memory forensics):

Capture a memory dump of a suspicious host:

winpmem.exe -o memdump.raw

Then analyze for hidden processes and injected code:

vol3 -f memdump.raw windows.pslist
vol3 -f memdump.raw windows.malfind
vol3 -f memdump.raw windows.cmdline

The `malfind` plugin detects pages with PAGE_EXECUTE_READWRITE permissions (RWX) that are not backed by a mapped file – a classic indicator of shellcode injection.

Real-time detection with PowerShell:

Monitor for remote thread creation events:

 Register for WMI events – thread creation
Register-WmiEvent -Query "SELECT  FROM Win32_ProcessStartTrace" -Action { Write-Host "Process started: $($Event.SourceEventArgs.NewEvent.ProcessName)" }

However, this is noisy. Better: Enable Process Monitor (ProcMon) with filters for `Operation` = `WriteVirtualMemory` and `Result` = Success, then cross-reference with CreateRemoteThread.

EDR evasion note: The malware uses indirect syscalls to avoid EDR hooks. To counter this, deploy kernel-based monitoring (e.g., Event Tracing for Windows – ETW) via `SilkETW` to capture raw syscall events before user-mode hooks are applied.

4. Investigating C2 Communication and Blocking Malicious Domains

The embedded binary contains a clear C2 indicator. Defenders must identify and block outbound connections to the threat actor’s infrastructure.

Step-by-step network detection:

Extract C2 domains from suspicious binaries (static analysis):

 Using strings and grep
strings malicious_cpu-z.exe | grep -E 'http://|https://|\.com|\.net|\.org' | sort -u

If the binary is packed, use `flare-floss` to deobfuscate strings:

floss malicious_cpu-z.exe | grep -iE 'c2|beacon|command'

Monitor live connections:

netstat -ano | findstr ESTABLISHED

Then correlate PID with process name:

Get-Process -Id (netstat -ano | findstr "ESTABLISHED" | Select-String -Pattern "\d+$" | ForEach-Object { $_.Matches.Value }) -ErrorAction SilentlyContinue

Block C2 at firewall (Windows Defender Firewall):

New-NetFirewallRule -DisplayName "Block cpuid C2" -Direction Outbound -RemoteAddress "203.0.113.55" -Action Block

For enterprise, push via GPO or use EDR’s network containment. Also report the malicious domain to Cloudflare’s abuse team (as noted by Adam Heathcote in the original post) and request takedown.

  1. Linux and Cross-Platform Indicators (For Sandbox & Forensics)

Although the primary target is Windows, the threat group may use Linux-based C2 redirectors or cross-platform loaders. Analysts should be familiar with YARA rules to scan for the malicious .NET assembly.

YARA rule to detect the CPU-Z trojan:

rule CPUZ_Trojan_IndirectSyscall {
meta:
description = "Detects CPU-Z installer with indirect syscall .NET assembly"
author = "Undercode"
strings:
$s1 = "System.Runtime.InteropServices" wide ascii
$s2 = "NtAllocateVirtualMemory" wide ascii
$s3 = "cpuid" nocase ascii
$hex = { 48 8B 04 25 ? ? ? ? 0F 05 } // syscall gadget pattern
condition:
uint16(0) == 0x5A4D and all of ($s1,$s2) and ($s3 or $hex)
}

Run YARA against downloaded files:

yara64.exe -r cpu_z_rule.yar C:\Downloads\

Linux command to scan SMB shares or mounted Windows drives:

find /mnt/windows_share/ -name ".exe" -exec yara -w cpu_z_rule.yar {} \;

6. Mitigation & Hardening Against Supply Chain Compromise

Given that cpuid[.]com is a trusted domain, no amount of user education alone can prevent this. Implement application control and integrity monitoring.

Step-by-step hardening:

  • Enable Windows Defender Application Control (WDAC): Create a base policy that allows only signed Microsoft and vendor-approved binaries. Block all executables not in `C:\Program Files` or `C:\Windows` unless explicitly allowed.
    New-CIPolicy -Level Publisher -FilePath .\WDAC_Policy.xml
    ConvertFrom-CIPolicy -XmlFilePath .\WDAC_Policy.xml -BinaryFilePath .\SiPolicy.p7b
    

Then deploy via `Group Policy`.

  • Use Microsoft Defender for Endpoint’s ASR rules: Enable “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25).

  • Periodic integrity validation: Automate hash checks for critical tools (CPU-Z, FileZilla, etc.) using a scheduled script that compares against a read-only reference DB:

    $refHash = (Get-Content "C:\SecureHashes\cpu-z.sha256") -split " " | Select-Object -First 1
    $currHash = (Get-FileHash "C:\Tools\cpu-z.exe" -Algorithm SHA256).Hash
    if ($refHash -ne $currHash) { Send-MailMessage -To "[email protected]" -Subject "CPU-Z integrity failure" }
    

What Undercode Say:

  • Trust is a vulnerability: A valid digital signature and a reputable domain name are no longer sufficient guarantees. Attackers compromise the entire distribution pipeline, not just the binary.
  • Memory is the new frontier: Fileless and indirect syscall techniques effectively blind most EDRs that rely on user-mode hooking. Defenders must invest in kernel-level telemetry (e.g., ETW, Sysmon with custom drivers) and memory forensics.
  • Supply chain attacks are accelerating: The reuse of tooling from the March 2026 FileZilla spoofing campaign indicates a mature, persistent actor. Organizations must treat every third-party update as a potential intrusion vector.
  • Detection requires layered visibility: No single tool catches everything. Combine hash verification, .NET assembly monitoring, syscall pattern analysis, and network egress filtering to build a resilient defense.

Prediction:

Within 12 months, similar deep trojanization attacks will target at least five other widely used freeware utilities (e.g., 7-Zip, Notepad++, VLC). The attacker economy will commoditize “signature-passing malware” as a service, making it accessible to low-skill criminals. Consequently, Microsoft will accelerate plans to deprecate Win32 API hooks in favor of native ETW-based security telemetry, and EDR vendors will pivot to kernel-callbacks and AI-driven behavioral analysis that ignores static signatures entirely. Organizations that fail to implement application control and memory integrity monitoring (e.g., Kernel Data Protection) will suffer repeated breaches via trusted software updates.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Vince Dhondt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky