Hackers compromised a side API used by CPUID and replaced download links on the official website with malicious executables for CPU-Z and HWMonitor. The trojanized files delivered a fake HWiNFO installer using a Russian Inno Setup wrapper. The malware is described as multi-staged, operates almost entirely in-memory, and uses techniques to evade EDR/AV tools including proxying NTDLL functionality from a .NET assembly. The breach lasted approximately six hours on April 9-10 before being discovered and fixed. The same threat group is suspected of targeting FileZilla users the previous month. The malicious ZIP is flagged by 20 antivirus engines on VirusTotal and is classified as an infostealer by some researchers.
Table of contents
Related Articles:Sort: