BreakglassIntelligence
Back to reports
highRAT

CPUID.com Supply Chain Compromise: CRYPTBASE.dll Sideloading, FileZilla C2 Attribution, and the 95.216.51[.]236 Infrastructure

The same Russian-speaking operator behind the March 2026 trojanized FileZilla campaign hijacked cpuid[.]com downloads to deliver an NTDLL-proxying in-memory loader. Shared C2, shared DLL-sideloading TTPs, offshore hosting, Chinese registrar.

InvestigatedApril 10, 2026PublishedApril 10, 2026
Threat Actors:**: Installer dialogs in Russianexploits Apache vulnerability on cpuid.com]ProfileAssessment
supply-chaincpuidcryptbasefilezilladll-sideloadingntdll-proxyedr-evasionrussian-actorhetznermynymboxcloudflare-r2apache-cvedns-over-httpsinno-setup

TLP: WHITE Date: 2026-04-10 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Supply Chain Compromise Status: Partially Remediated (downloads restored, no official statement)

Executive Summary

On April 10, 2026, the official CPUID website (cpuid[.]com) -- publisher of CPU-Z, HWMonitor, and other widely-used hardware diagnostic tools -- was confirmed to be actively distributing trojanized software. Download links on the website were hijacked to redirect users to a Cloudflare R2 storage bucket serving a malicious installer named HWiNFO_Monitor_Setup.exe instead of the legitimate software.

The malware employs DLL sideloading via cryptbase.dll, operates almost entirely in-memory, and uses a sophisticated EDR evasion technique: proxying Windows NTDLL system calls through a .NET assembly to bypass usermode hooks. The installer displayed Russian-language dialogs within a modified Inno Setup wrapper.

Breakglass Intelligence has confirmed this is the SAME threat group that trojanized FileZilla in March 2026. Both campaigns share:

  • The same C2 server (95[.]216[.]51[.]236:31415, Hetzner/Mynymbox)
  • Identical anti-analysis techniques (BIOS checks, VM detection, WMI calls)
  • The same DLL sideloading methodology (version.dll for FileZilla, cryptbase.dll for CPUID)
  • Shared staging domain (welcome[.]supp0v3[.]com) registered via Chinese registrar CNOBIN

The compromise window is estimated as April 3-10, 2026. As of our investigation at 11:15 UTC on April 10, the legitimate download infrastructure appears restored, but CPUID has not issued any official statement.

Key Findings

  1. Supply chain compromise confirmed: cpuid[.]com download links were hijacked to serve malware from Cloudflare R2 storage
  2. File masquerading: Malicious installer named HWiNFO_Monitor_Setup.exe (combining HWiNFO and HWMonitor brand names)
  3. Same threat group as FileZilla campaign: Both use C2 at 95[.]216[.]51[.]236:31415
  4. CRYPTBASE.dll identified: SHA256 9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984 -- 40/75 VT detections, first seen March 5, 2026
  5. Russian-speaking actor: Installer dialogs in Russian
  6. Advanced evasion: NTDLL proxying via .NET assembly (bypasses EDR usermode hooks)
  7. Vulnerable Apache: CPUID server runs Apache 2.4.59/66 with 34 known CVEs including path traversal (CVE-2024-38475)
  8. Chinese registrar: C2 staging domain (supp0v3[.]com) registered via CNOBIN Information Technology Limited (Hong Kong)
  9. Offshore hosting: C2 allocated to Mynymbox Hosting LLC (Nevis, Caribbean) on Hetzner infrastructure

What This Report Adds to the Public Record

AspectPrior Public ReportingBreakglass Findings
C2 InfrastructureMentioned but not specified95.216.51.236:31415 (Hetzner/Mynymbox, Nevis)
CRYPTBASE.dll HashNot published9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984
FileZilla LinkMentioned as same groupConfirmed via shared C2 IP -- 10 samples communicate with same server
Campaign TimelinePost-April 3CRYPTBASE.dll first seen March 5 (tool developed 1 month before CPUID attack)
C2 Domain RegistrationNot reportedsupp0v3.com via CNOBIN (CN registrar), Oct 29 2025
Related InfrastructureNot mappedrnetopera.org, mymvm.ru (Russian), justinstalledpanel.com on same C2
Apache VulnerabilitiesNot assessed34 CVEs including path traversal -- probable initial access vector
Tool Arsenalversion.dll, cryptbase.dll10 distinct samples sharing C2, including PowerShell stagers

Attack Chain

Phase 1 -- Initial Compromise
[Threat actor exploits Apache vulnerability on cpuid.com]
    -> [Modifies download page links or backend routing]
    -> [ZIP/EXE download links redirect to Cloudflare R2 bucket]

Phase 2 -- Delivery
[Victim visits cpuid.com, clicks download for HWMonitor/CPU-Z]
    -> [Instead of download.cpuid.com, link resolves to Cloudflare R2]
    -> [Victim receives HWiNFO_Monitor_Setup.exe (Inno Setup, Russian)]

Phase 3 -- Execution
[Victim runs installer]
    -> [Modified Inno Setup drops legitimate app + cryptbase.dll]
    -> [DLL search order hijacking loads cryptbase.dll]
    -> [Stage 1: Anti-analysis checks (BIOS version, VM detection, WMI)]

Phase 4 -- Evasion & C2
    -> [Stage 2: In-memory .NET assembly loads]
    -> [.NET assembly proxies NTDLL calls (bypasses EDR usermode hooks)]
    -> [DNS-over-HTTPS resolves C2 domain (1.1.1.1)]
    -> [C2 callback to 95.216.51.236:31415]
    -> [Stage 3: Additional payloads/persistence]

Infrastructure Analysis

Legitimate CPUID Infrastructure (Confirmed Clean)

ComponentValueNotes
Domaincpuid[.]comRegistered 2000-05-02 via OVH
IP195[.]154[.]81[.]43Scaleway, AS12876, France
ServerApache/2.4.66 (Debian)34 CVEs on Shodan
TLSLet Encrypt E7Issued 2026-04-10 (auto-renewal)
DNS NSdns16.ovh.net / ns16.ovh.netConsistent historical
download.cpuid.comCNAME to cpuz01.cpuid.com (same IP)Clean downloads confirmed
www2.cpuid.comCNAME to cpuz01.cpuid.com (same IP)Alternate download path
mail.cpuid.com188[.]165[.]231[.]119Separate mail server
MXmail.x86.frCPUID mail infrastructure

Attack Infrastructure

ComponentValueNotes
C2 Server95[.]216[.]51[.]236:31415Hetzner allocation to Mynymbox Hosting LLC (Nevis)
C2 rDNS236.51.216.95.hosted-by.mynymbox.ioOffshore hosting provider
Staging Domainwelcome[.]supp0v3[.]comRegistered 2025-10-29 via CNOBIN (CN)
Staging Domainfilezilla-project[.]liveRegistered ~Feb 2026
DeliveryCloudflare R2 storage bucketAbusing legitimate cloud infra
DNS ResolutionCloudflare DoH via 1[.]1[.]1[.]1Encrypts DNS queries
C2 Proxied IPs104[.]21[.]63[.]112, 172[.]67[.]145[.]101Cloudflare-fronted C2
Historical Domainrnetopera[.]orgResolved to C2 IP in late 2024
Historical Domainmymvm[.]ruRussian domain, VPN/Nextcloud on C2 IP (2021)

Apache Vulnerability Exposure

The CPUID server runs Apache 2.4.59/66 with Shodan reporting 34 associated CVEs. Critical vulnerabilities that could explain the initial access include:

  • CVE-2024-38475: Path traversal in mod_rewrite (could allow backend file manipulation)
  • CVE-2024-38476: Server-Side Request Forgery
  • CVE-2024-38474: Encoding issues in mod_rewrite
  • CVE-2024-40898: SSRF via mod_rewrite

Malware Analysis

Known Malicious Samples

SHA256NameTypeSizeVT DetFirst SeenCampaign
9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984CRYPTBASE.dllWin64 DLL1.2MB40/752026-03-05CPUID
e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4version.dllWin64 DLL362KB49/75~2026-02FileZilla
41574f43ee6e668200ec962b320203f0cafb787b3640fb35503fed00ab66e90bsuperbad.exeWin64 DLL238KB47/752025-07Related
912754132a31ba437ac4dedd07cbd8d70a8b773cc00b7c983c2225e036b8ccf9x90nl.exeWin64 DLL-49/75-Related
768971c5529c85d520a6284f376e1c1caca901838a0f3c23b1da3ae3884a5f9cpayload_1.dllWin64 DLL-43/75-Related
61e6b7d1e477c572c6b9549dea8ce5ba977afd11331a56efe7f36a92f02d5a49ps1.ps1PowerShell350KB31/752025-08Related
ce529398029f34cfd44feda0992d4dcdffdf531efc025a8c5347c5a9364c4e31ps1.txtPowerShell-31/75-Related

Legitimate Files Currently Served by CPUID (Clean)

FileSHA256SizeVTSigned
cpu-z_2.19-en.exe96ac7864f87a133864293e92f6a3ab4484685470e5bde82cc8eaf1f9747417754.8MB0/72Yes (CPUID)
cpu-z_2.18-en.exe3999dad2516dbc9afdd51defc2447d940aa78a88bcf93655186c856b326e38214.8MB-Yes
hwmonitor_1.63.exe6c8faba4768754c3364e7c400a9d79ccbece156087be607583619f11a09cb0643.1MB-Yes
hwmonitor-pro_1.57.exe7c3f3162869d1f9f68a9101d4885cce8c04e73376bd9ccb1e564e81f9147b1453.5MB-Yes

DLL Sideloading Technique

This threat group uses DLL search order hijacking:

  1. Legitimate application is bundled with malicious DLL sharing a name with a Windows system DLL
  2. When the application launches, Windows loads the local DLL before checking System32
  3. The malicious DLL executes while the legitimate application runs normally

Observed DLL names:

  • cryptbase.dll (CPUID campaign) -- Base Cryptographic API DLL
  • version.dll (FileZilla campaign) -- Version Checking and File Installation API

Both are documented on hijacklibs.net as known hijackable DLLs.

Anti-Analysis Arsenal

All samples from this group share these anti-analysis capabilities:

  • BIOS version checks (detects VMs with known BIOS strings)
  • VirtualBox registry key probing
  • WMI-based hardware enumeration
  • CPU name validation
  • User input monitoring (mouse movement, keyboard activity)
  • Long sleep timers (sandbox timeout evasion)
  • Debug environment detection

NTDLL Proxying (EDR Evasion)

The most sophisticated aspect of this malware is its NTDLL proxying technique:

  1. Modern EDRs hook ntdll.dll functions in user mode to monitor for malicious system calls
  2. This malware loads a .NET assembly in-memory
  3. The .NET assembly implements direct syscalls or reads a clean copy of ntdll.dll
  4. System calls are routed through the .NET layer, bypassing EDR hooks entirely
  5. This makes the malware invisible to most endpoint detection tools

Threat Actor Profile

Attribution Assessment

  • Confidence: HIGH
  • Language: Russian (confirmed by installer dialog text)
  • Infrastructure Registration: Chinese registrar (CNOBIN), offshore hosting (Mynymbox/Nevis)
  • Operational Since: At least October 2025 (supp0v3.com registration), possibly July 2025 (superbad.exe first seen)
  • Motivation: Likely financial (credential theft, access brokering)
  • Sophistication: HIGH -- NTDLL proxying, supply chain compromise, anti-analysis, multi-stage

Campaign Timeline

DateEvent
2025-07-14superbad.exe first seen on VT (earliest related sample)
2025-10-29supp0v3.com registered via CNOBIN (Chinese registrar)
2026-01-15First Let Encrypt cert for supp0v3.com
2026-02-03FileZilla version.dll compiled (per Malwarebytes)
2026-02-21filezilla-project.live certs issued (campaign setup)
2026-02-24Google Trust Services cert for supp0v3.com
~2026-03-01FileZilla trojanization campaign begins
2026-03-05CRYPTBASE.dll first seen on VT (CPUID payload developed)
2026-03-16Wildcard cert issued for *.supp0v3.com (infrastructure expansion)
2026-04-03HWMonitor 1.63 released; compromise window begins
2026-04-10Public discovery; vx-underground confirms; downloads pulled/restored
DomainPeriodNotes
mymvm[.]ru2021VPN + Nextcloud on C2 IP -- Russian operational domain
justinstalledpanel[.]com2020Panel management on C2 IP -- early infrastructure
rnetopera[.]org2024Resolved to C2 IP with mail/autoconfig subdomains
filezilla-project[.]live2026-02Fake FileZilla download site
supp0v3[.]com2025-10+Active C2 staging/callback domain

MITRE ATT&CK Mapping

TacticTechniqueIDApplication
Initial AccessSupply Chain Compromise: Compromise Software Supply ChainT1195.002Modified download links on cpuid.com
Initial AccessDrive-by CompromiseT1189Users redirected to malicious download
ExecutionUser Execution: Malicious FileT1204.002HWiNFO_Monitor_Setup.exe
PersistenceHijack Execution Flow: DLL Side-LoadingT1574.002cryptbase.dll / version.dll
Defense EvasionMasquerading: Match Legitimate NameT1036.005HWiNFO_Monitor_Setup.exe
Defense EvasionReflective Code LoadingT1620.NET assembly loaded in-memory
Defense EvasionSystem Binary Proxy ExecutionT1218NTDLL function proxying
Defense EvasionObfuscated Files or InformationT1027Multi-stage in-memory execution
Defense EvasionVirtualization/Sandbox EvasionT1497BIOS checks, VM detection, WMI
DiscoverySystem Information DiscoveryT1082CPU name, BIOS, hardware enumeration
Command and ControlEncrypted Channel: Asymmetric CryptographyT1573.002DNS-over-HTTPS for C2 resolution
Command and ControlApplication Layer ProtocolT1071C2 on port 31415
Resource DevelopmentAcquire Infrastructure: Web ServicesT1583.006Cloudflare R2 for payload hosting

IOC Summary

Network Indicators

  • 95[.]216[.]51[.]236 -- C2 server (port 31415)
  • welcome[.]supp0v3[.]com -- C2 staging domain
  • filezilla-project[.]live -- Fake FileZilla site
  • rnetopera[.]org -- Historical infrastructure on C2 IP
  • Cloudflare R2 storage bucket (exact URL unknown) -- Payload delivery

File Indicators (Malicious)

IOCSHA256
CRYPTBASE.dll9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984
version.dlle4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4
superbad.exe41574f43ee6e668200ec962b320203f0cafb787b3640fb35503fed00ab66e90b
payload_1.dll768971c5529c85d520a6284f376e1c1caca901838a0f3c23b1da3ae3884a5f9c
x90nl.exe912754132a31ba437ac4dedd07cbd8d70a8b773cc00b7c983c2225e036b8ccf9
ps1 stager61e6b7d1e477c572c6b9549dea8ce5ba977afd11331a56efe7f36a92f02d5a49
ps1 stagerce529398029f34cfd44feda0992d4dcdffdf531efc025a8c5347c5a9364c4e31

File Indicators (Clean -- for comparison)

IOCSHA256
cpu-z_2.19-en.exe (legit)96ac7864f87a133864293e92f6a3ab4484685470e5bde82cc8eaf1f974741775
hwmonitor_1.63.exe (legit)6c8faba4768754c3364e7c400a9d79ccbece156087be607583619f11a09cb064

Behavioral Indicators

  • cryptbase.dll in application directories (not System32)
  • version.dll in application directories (not System32)
  • HWiNFO_Monitor_Setup.exe on disk
  • DNS-over-HTTPS queries to 1.1.1.1 from non-browser processes
  • Outbound connections to port 31415
  • .NET CLR loading in non-.NET applications
  • WMI queries for BIOS/hardware information at startup

Immediate (24-48 hours)

  • Search for cryptbase.dll and version.dll in non-system locations
  • Search for HWiNFO_Monitor_Setup.exe anywhere on disk
  • Block 95.216.51.236 at network perimeter
  • Block supp0v3.com and filezilla-project.live at DNS
  • Monitor for outbound connections to port 31415
  • Alert on DNS-over-HTTPS from non-browser processes

Short-term (1-2 weeks)

  • Verify all CPUID software installations against known-good hashes (listed above)
  • Monitor for official CPUID incident response statement
  • Deploy YARA rules (see below) across endpoints
  • Deploy Suricata rules (see below) at network boundary

Medium-term (1-3 months)

  • Monitor supp0v3.com and related infrastructure for new campaigns
  • Track Mynymbox/Hetzner allocation for new C2 deployments
  • Audit software download processes for integrity verification

References

Share