CPUID Supply Chain Compromise: CRYPTBASE Sideloading, FileZilla C2 Reuse, and a 10-Month Campaign
CPUID Supply Chain Compromise: CRYPTBASE Sideloading, FileZilla C2 Reuse, and a 10-Month Campaign
Between April 3 and April 10, 2026, the official download links on cpuid.com — home of CPU-Z and HWMonitor — were hijacked to serve a trojanized installer containing a CRYPTBASE.dll sideloading payload. The installer, disguised as HWiNFO_Monitor_Setup.exe, was staged on a Cloudflare R2 bucket and delivered a .NET in-memory loader that communicates with a command-and-control server at 95[.]216[.]51[.]236:31415.
This report documents the C2 infrastructure, connects the campaign to the FileZilla trojanization wave of March 2026, and traces the actor's operations back to July 2025.
Summary of Compromise
- Target: cpuid.com (CPU-Z, HWMonitor download pages)
- Window: April 3-10, 2026
- Delivery: Download links redirected to Cloudflare R2 bucket hosting
HWiNFO_Monitor_Setup.exe - Payload: Inno Setup installer (Russian-language dialogs) dropping CRYPTBASE.dll sideloading chain
- Technique: DLL sideloading via CRYPTBASE.dll, NTDLL proxying through .NET assembly for EDR bypass, in-memory execution
- C2:
95[.]216[.]51[.]236:31415 - Current status: cpuid.com downloads verified clean as of April 10, 2026
What This Report Adds to the Public Record
Prior public reporting from vx-underground, CyberInsider, PC Gamer, Igor's Lab, and others confirmed the compromise and identified the trojanized installer. This report adds:
| Finding | Prior Public Reporting | This Report |
|---|---|---|
| CPUID downloads hijacked | Yes (vx-underground, CyberInsider) | Confirmed |
| Trojanized Inno Setup installer identified | Yes (vx-underground) | Confirmed, SHA256 provided |
| CRYPTBASE.dll sideloading technique | Partial | Full chain: DLL sideload -> .NET assembly -> NTDLL proxy -> in-memory execution |
C2 server at 95[.]216[.]51[.]236:31415 | Not publicly documented | Mapped: Hetzner-allocated, Mynymbox Hosting LLC (Nevis, Caribbean) |
| Connection to FileZilla campaign (March 2026) | Not publicly documented | Same C2 IP and port; version.dll from FileZilla campaign calls same endpoint |
| 10-sample arsenal sharing this C2 | Not publicly documented | 10 distinct malware samples identified across campaigns |
Staging domain welcome[.]supp0v3[.]com | Not publicly documented | Registered Oct 29, 2025 via CNOBIN (Chinese registrar, Hong Kong) |
Related infrastructure (rnetopera[.]org, mymvm[.]ru, filezilla-project[.]live, justinstalledpanel[.]com) | Not publicly documented | Mapped via passive DNS and registration overlap |
| Campaign timeline back to July 2025 | Not publicly documented | superbad.exe (July 2025) is earliest known sample |
| Apache CVE initial access theory | Not publicly documented | cpuid.com runs Apache 2.4.59/66 with 34 known CVEs including CVE-2024-38475 (path traversal) |
| Actor profile (Russian-speaking, Chinese registrar, Caribbean hosting) | Not publicly documented | Trilateral infrastructure pattern documented |
Technical Analysis
Payload Chain
The trojanized installer follows a multi-stage execution chain designed to evade endpoint detection:
-
Stage 1 — Inno Setup Installer:
HWiNFO_Monitor_Setup.exepresents Russian-language installation dialogs. This is an immediate indicator that the installer was not built by CPUID (a French company). -
Stage 2 — CRYPTBASE.dll Sideloading: The installer drops a malicious
CRYPTBASE.dllalongside a legitimate executable that loads it via Windows DLL search order hijacking. CRYPTBASE.dll is a legitimate Windows system library, making this a living-off-the-land sideloading technique. -
Stage 3 — .NET In-Memory Assembly: The sideloaded DLL loads a .NET assembly entirely in memory, avoiding disk-based detection.
-
Stage 4 — NTDLL Proxying: The .NET assembly maps a fresh copy of NTDLL from disk to bypass EDR userland hooks on system calls. This is a well-known technique (direct syscalls / NTDLL unhooking) that defeats most userland-hooking EDR products.
-
Stage 5 — C2 Communication: The payload calls home to
95[.]216[.]51[.]236:31415.
CRYPTBASE.dll hash: 9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984 (SHA256, 40/75 on VirusTotal)
C2 Infrastructure
The C2 server at 95[.]216[.]51[.]236 is allocated by Hetzner but operated by Mynymbox Hosting LLC, registered in Nevis (Caribbean). The reverse DNS record confirms this:
236.51.216.95.hosted-by.mynymbox.io
Mynymbox is a small offshore hosting provider registered in the Federation of Saint Kitts and Nevis. This is a deliberate choice by the actor — Caribbean jurisdictions have limited law enforcement cooperation mechanisms, making takedown requests difficult.
The C2 listens on port 31415 — a non-standard port that avoids automated scanning of common C2 ports but is trivially detectable with targeted network monitoring.
Staging Infrastructure
The staging domain welcome[.]supp0v3[.]com was registered on October 29, 2025 through CNOBIN, a Chinese domain registrar operating out of Hong Kong. CNOBIN is known for minimal verification requirements and has appeared in prior campaigns as a registrar of choice for threat actors seeking low-friction domain registration.
Connection to the FileZilla Campaign
In March 2026, Malwarebytes and others documented a campaign distributing trojanized FileZilla installers via filezilla-project[.]live. Our analysis shows:
- The FileZilla trojan used
version.dllsideloading (different DLL name, same technique) - The
version.dllpayload called the same C2:95[.]216[.]51[.]236:31415 - Both campaigns used Inno Setup installers with Russian-language dialogs
- Both campaigns used DLL sideloading with NTDLL proxying
This is not a coincidence. The shared C2 IP, port, technique chain, and installer characteristics confirm these are the same actor running parallel supply chain campaigns against trusted software distribution points.
The 10-Sample Arsenal
We identified 10 distinct malware samples communicating with 95[.]216[.]51[.]236:31415, spanning:
- CRYPTBASE.dll variants (CPUID campaign, March-April 2026)
- version.dll variants (FileZilla campaign, February-March 2026)
superbad.exe(earliest known sample, July 2025)- Additional loader variants staged via
supp0v3[.]cominfrastructure
This volume indicates an active development pipeline, not a one-off operation.
Related Infrastructure
Passive DNS and registration analysis revealed the following connected domains:
| Domain | Role | Notes |
|---|---|---|
welcome[.]supp0v3[.]com | Staging / payload delivery | Registered Oct 29, 2025 via CNOBIN |
rnetopera[.]org | Related infrastructure | Registration overlap with campaign domains |
mymvm[.]ru | Actor infrastructure | Russian TLD, confirms Russian-speaking operator |
filezilla-project[.]live | FileZilla campaign delivery | Typosquat of filezilla-project.org |
justinstalledpanel[.]com | C2 panel / management | Name suggests post-installation check-in panel |
The mymvm[.]ru domain is particularly notable — the .ru TLD combined with Russian-language installer dialogs strongly supports a Russian-speaking actor.
Probable Initial Access to cpuid.com
The cpuid.com web server runs Apache 2.4.59/2.4.66, versions affected by 34 known CVEs. The most likely candidate for initial access is:
CVE-2024-38475 — Apache HTTP Server mod_rewrite path traversal. This vulnerability allows an attacker to map URLs to filesystem locations that are not intended to be served, potentially exposing server-side scripts or configuration files. With write access to the web root or CMS backend, the attacker could modify download links to point to the Cloudflare R2 staging bucket.
This is assessed with moderate confidence — the vulnerability is present in the server's Apache version, the attack vector aligns with the observed compromise (download link redirection rather than full server takeover), and no other entry point was identified.
Campaign Timeline
| Date | Event |
|---|---|
| July 2025 | superbad.exe — earliest known sample communicating with 95[.]216[.]51[.]236:31415 |
| October 29, 2025 | supp0v3[.]com registered via CNOBIN (Hong Kong) |
| February 2026 | FileZilla trojanization campaign begins; version.dll sideloading payloads deployed |
| March 2026 | FileZilla campaign publicly reported (Malwarebytes); CRYPTBASE.dll developed |
| April 3, 2026 | CPUID supply chain compromise begins; download links redirected to Cloudflare R2 |
| April 10, 2026 | CPUID downloads verified clean; compromise window closes |
This timeline shows a 10-month operational arc from first known sample to the CPUID compromise, with the actor progressively targeting higher-value software distribution points.
Actor Profile
| Attribute | Assessment | Confidence |
|---|---|---|
| Language | Russian-speaking (installer dialogs, mymvm[.]ru domain) | High |
| Infrastructure registration | Chinese registrar (CNOBIN, Hong Kong) | High |
| Hosting | Offshore Caribbean (Mynymbox, Nevis) | High |
| Operational pattern | Supply chain compromise of trusted software distributors | High |
| Technical capability | DLL sideloading, NTDLL unhooking, in-memory execution, EDR bypass | High |
| Motivation | Likely financial (broad targeting of popular utility software) | Moderate |
| State affiliation | No evidence of state sponsorship; consistent with financially motivated actor or initial access broker | Moderate |
The trilateral infrastructure pattern — Russian language, Chinese registrar, Caribbean hosting — is consistent with a financially motivated actor or initial access broker (IAB) deliberately fragmenting their operational footprint across jurisdictions with poor mutual legal assistance.
Indicators of Compromise
Network IOCs
| Indicator | Type | Context |
|---|---|---|
95[.]216[.]51[.]236 | IPv4 | C2 server (Hetzner / Mynymbox Hosting LLC, Nevis) |
95[.]216[.]51[.]236:31415 | IPv4:Port | C2 endpoint |
236.51.216.95.hosted-by.mynymbox[.]io | rDNS | C2 reverse DNS |
welcome[.]supp0v3[.]com | Domain | Staging / payload delivery |
supp0v3[.]com | Domain | Parent staging domain |
rnetopera[.]org | Domain | Related infrastructure |
mymvm[.]ru | Domain | Actor infrastructure |
filezilla-project[.]live | Domain | FileZilla campaign delivery |
justinstalledpanel[.]com | Domain | C2 panel |
File IOCs
| Indicator | Type | Context |
|---|---|---|
9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984 | SHA256 | CRYPTBASE.dll (40/75 VT) |
HWiNFO_Monitor_Setup.exe | Filename | Trojanized Inno Setup installer |
CRYPTBASE.dll | Filename | Sideloading payload (CPUID campaign) |
version.dll | Filename | Sideloading payload (FileZilla campaign) |
superbad.exe | Filename | Earliest known sample (July 2025) |
Detection Signatures
Snort/Suricata (outbound C2):
alert tcp $HOME_NET any -> 95.216.51.236 31415 (msg:"GHOST - CPUID/FileZilla Campaign C2 Callback"; flow:established,to_server; sid:2026040901; rev:1;)
YARA (CRYPTBASE.dll sideloading):
rule GHOST_CRYPTBASE_Sideloader {
meta:
description = "CRYPTBASE.dll sideloading payload from CPUID supply chain compromise"
author = "Breakglass Intelligence"
date = "2026-04-09"
hash = "9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984"
strings:
$inno = "Inno Setup" ascii
$cryptbase = "CRYPTBASE" ascii wide
$ntdll_proxy = "ntdll.dll" ascii wide
$dotnet = "_CorExeMain" ascii
$c2_port = { 31 34 31 35 } // "1415" ascii (part of port 31415)
condition:
uint16(0) == 0x5A4D and
3 of them
}
Sigma (suspicious DLL sideloading):
title: CRYPTBASE.dll Sideloading - CPUID Campaign
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects CRYPTBASE.dll loaded from non-system directories
author: Breakglass Intelligence
date: 2026/04/09
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CRYPTBASE.dll'
filter:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Legitimate software bundling CRYPTBASE.dll (rare)
level: high
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Context |
|---|---|---|---|
| Initial Access | Supply Chain Compromise: Compromise Software Supply Chain | T1195.002 | cpuid.com download links hijacked |
| Initial Access | Exploit Public-Facing Application | T1190 | Probable Apache CVE-2024-38475 exploitation on cpuid.com |
| Execution | User Execution: Malicious File | T1204.002 | User runs trojanized installer |
| Persistence | Hijack Execution Flow: DLL Side-Loading | T1574.002 | CRYPTBASE.dll / version.dll sideloading |
| Defense Evasion | Process Injection: .NET Assembly Injection | T1055 | In-memory .NET assembly execution |
| Defense Evasion | Hijack Execution Flow: DLL Side-Loading | T1574.002 | NTDLL proxying to bypass EDR hooks |
| Defense Evasion | Obfuscated Files or Information | T1027 | In-memory payload avoids disk artifacts |
| Command and Control | Non-Standard Port | T1571 | C2 on port 31415 |
| Command and Control | Application Layer Protocol | T1071 | C2 communication over TCP |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | supp0v3[.]com, filezilla-project[.]live, etc. |
| Resource Development | Acquire Infrastructure: Server | T1583.004 | Mynymbox hosting (Nevis) |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 | Cloudflare R2 bucket for payload staging |
Confidence Assessments
| Assessment | Confidence | Basis |
|---|---|---|
| CPUID downloads were compromised April 3-10, 2026 | High | Multiple independent confirmations (vx-underground, CyberInsider) |
| CRYPTBASE.dll is the sideloading payload | High | Binary analysis, VT detections (40/75) |
C2 is 95[.]216[.]51[.]236:31415 | High | Network analysis of payload |
| Same actor as FileZilla campaign | High | Shared C2 IP:port, shared technique chain, shared installer characteristics |
| Mynymbox Hosting LLC operates the C2 server | High | Hetzner allocation records, rDNS |
| CNOBIN registration of supp0v3[.]com | High | WHOIS records |
| Apache CVE-2024-38475 as initial access vector | Moderate | Version fingerprint matches, technique aligns, but not directly confirmed |
| Actor is Russian-speaking | High | Russian installer dialogs, mymvm[.]ru domain |
| Campaign operational since July 2025 | Moderate | Based on earliest known sample (superbad.exe); earlier activity may exist |
| Financially motivated / IAB | Moderate | Broad targeting pattern, no evidence of state sponsorship |
Disclosure
- April 9, 2026: This report published by Breakglass Intelligence
- CPUID: Compromise was remediated by April 10, 2026; downloads verified clean
- Hetzner: The C2 server at
95[.]216[.]51[.]236is hosted on Hetzner infrastructure allocated to Mynymbox Hosting LLC
We welcome any corrections or prior work we may have missed. If you documented any of these findings before this publication, contact us and we will update this report with appropriate credit.
Prior Art and Credits
This investigation builds on public reporting from:
- vx-underground — First public confirmation of the cpuid.com compromise
- CyberInsider — Early coverage of the supply chain attack
- PC Gamer — Consumer-facing coverage alerting users
- Igor's Lab — Technical coverage of the compromise
- CyberNews — Additional reporting
- Cryptika — Coverage of the incident
- Malwarebytes — FileZilla trojanization campaign report (March 2026), which documented the broader DLL sideloading campaign this actor operates
- Mr. Titus Tech (@vaboronern) — Original reporter
This investigation was conducted under the GHOST methodology by Breakglass Intelligence. The shadows satisfice.