vx-underground
I'm trying to download this Chinese government super computer leak thingy. It's 10pb (10,000 Terabytes). However, my computer only has 10TB of storage. I went to Amazon and tried ordering some harddrives. The largest size available for bulk purchase wasβ¦
I made a series of posts similar to this one designed to illustrate how astronomically absurd 10pb of data is.
It (somehow) transformed into a bunch of stinky nerds arguing about storage costs, architectural requirements, local storage vs. cloud storage, etc.
It (somehow) transformed into a bunch of stinky nerds arguing about storage costs, architectural requirements, local storage vs. cloud storage, etc.
π₯°74π27π€9β€4π€£3π―2π1
Here is a silly explanation
> company gets bamboozled
> fires, explosions, people screaming at the sky
> bystanders pointing saying "omg"
> literally screaming, crying, throwing up
> threat intel all over it
> cybercrime tmz all over it (that includes me)
> DFIR nerds come in
> DFIR contain the crime scene
> DFIR tells businesses to clam down
> DFIR tell people "nothing to see here"
> look inside
> TeamPCP
> AV vendors begin building rules
> Threat Intels say: "hmph, interesting"
> Threat Actors say: "ooga booga"
> quiet, eerily quiet
> DFIR working, AV working, lawyers lawyering
> Threat Actor probably extorting
> fire is put out, now people have to clean up mess
> no fire? no interesting
> clean up is LAME and for NOT EXCITING
> Threat Actor creep back into the shadows
> DFIR angry in quiet
> Lawyers lawyer in quiet
> Threat Intel do the internet stalking
> customers do the lawsuits
> thβ
> BOOM EXPLOSION
> "wtf was that???"
> everyone turns to their left
> whβ
> NEW FIRE!! NEW EXPLOSIONS!!!
> bystanders pointing saying "omg"
> literally screaming, crying, throwing up
> threat intel all over it
> cybercrime tmz all over it (that includes me)
> DFIR nerds come in
> DFIR contain the crime scene
> DFIR tells businesses to clam down
> DFIR tell people "nothing to see here"
> look inside
> (not TeamPCP, different Threat Actor)
... and then repeat this cycle about 100 times a week but for different countries, different companies, and different Threat Actors.
And while everyone is focusing on a different fire and explosion Threat Actors are shifting focus, laundering money, cleaning up, or scouting new targets. Blue Team is suffocating from the sheer volume of crime while AI nerds say shit like "cybersecurity is dead" (it is, don't go into cybersecurity)
tl;dr it's the cycle of life
> company gets bamboozled
> fires, explosions, people screaming at the sky
> bystanders pointing saying "omg"
> literally screaming, crying, throwing up
> threat intel all over it
> cybercrime tmz all over it (that includes me)
> DFIR nerds come in
> DFIR contain the crime scene
> DFIR tells businesses to clam down
> DFIR tell people "nothing to see here"
> look inside
> TeamPCP
> AV vendors begin building rules
> Threat Intels say: "hmph, interesting"
> Threat Actors say: "ooga booga"
> quiet, eerily quiet
> DFIR working, AV working, lawyers lawyering
> Threat Actor probably extorting
> fire is put out, now people have to clean up mess
> no fire? no interesting
> clean up is LAME and for NOT EXCITING
> Threat Actor creep back into the shadows
> DFIR angry in quiet
> Lawyers lawyer in quiet
> Threat Intel do the internet stalking
> customers do the lawsuits
> thβ
> BOOM EXPLOSION
> "wtf was that???"
> everyone turns to their left
> whβ
> NEW FIRE!! NEW EXPLOSIONS!!!
> bystanders pointing saying "omg"
> literally screaming, crying, throwing up
> threat intel all over it
> cybercrime tmz all over it (that includes me)
> DFIR nerds come in
> DFIR contain the crime scene
> DFIR tells businesses to clam down
> DFIR tell people "nothing to see here"
> look inside
> (not TeamPCP, different Threat Actor)
... and then repeat this cycle about 100 times a week but for different countries, different companies, and different Threat Actors.
And while everyone is focusing on a different fire and explosion Threat Actors are shifting focus, laundering money, cleaning up, or scouting new targets. Blue Team is suffocating from the sheer volume of crime while AI nerds say shit like "cybersecurity is dead" (it is, don't go into cybersecurity)
tl;dr it's the cycle of life
π₯°59π€£32β€8π₯4π1π€1
Mr. Titus Tech is correct. cpuid-dot-com is indeed delivering malware right now.
As I began poking this with I stick I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.
The C2 domain present in one of the binaries is a clear IoC. This is the same Threat Group who was masquerading FileZilla in early March, 2026. They've been busy.
As I began poking this with I stick I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.
The C2 domain present in one of the binaries is a clear IoC. This is the same Threat Group who was masquerading FileZilla in early March, 2026. They've been busy.
π₯64β€4π2
Yeah, so pretty much this http://cpuid.com
malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload.
This appears to only impact HWMonitor 64bit. It appears (based on user reports) cpuid became malicious around 7PM EST, April 10th, 2026. However, it is possible it was much earlier than this, this is just when people began noticing and discussing it online.
From an extremely high-level overview, it appears the ultimate goal of this malware is data theft, specifically browser credentials. However, I could be wrong in that assessment, but I'm fairly confident in it. I'm guessing this is the end goal because when I emulated it I can see it messing with Google Chrome's IElevation COM interface (trying to dump and decrypt saved passwords). However, between this it does a bunch of other stuff too.
1. They (an unknown Threat Actor) compromised http://cpuid.com
to deliver malware from HWMonitor. It impacts the actual installer as well as the portable installer. It downloads stuff from supp0v3-dot-com, the same domain used from a previous malware campaign targeting FileZilla in the beginning of March, 2026 initially reported by MalwareBytes.
2. HWMonitor comes packaged with a malicious CRYPTBASE.dll. CRYPTBASE.dll is a legitimate Windows library, but they made a fake one to blend in (malware masquerading). This DLL is responsible for connecting to their C2 and downloading the other malware stages.
3. It tries to detect emulation and prevent reverse engineering by checking for the presence of specific registry keys on the machine. However, they failed doing this and didn't account for everything. Notably, they only check for VirtualBox (whomp, whomp).
4. It downloads a .cs file from a remote C2 and then compiles it manually on the machine by invoking .NET stuff. This is an interesting strategy. It does all of this via Powershell (LOLBIN nonsense).
5. The .cs file it compiles is a .NET binary with NTDLL exports. The main HWMonitor binary performs process injection using this compiled .NET binary. This is an interesting strategy.
6. Almost everything it does is performed in-memory. I would have to do through this and manually bonk all of this stuff with a stick and determine precisely how it operates. However, I don't think that is necessary because at this point we know this is malware and we know it's trying to steal browser credentials.
+2 points for IElevation COM Interface credential dumping
+1 point for inline Powershell CLI DLL compilation
+1 point for .NET assembly NTDLL export proxying
-1 point for botched anti-emulation
+2 points for website compromise and supply chain attack
+1 point for memory persistence
-3 points for recycling the same C2 from March, 2026 campaign
Overall I give this malware a B-. This is pretty good malware.
malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload.
This appears to only impact HWMonitor 64bit. It appears (based on user reports) cpuid became malicious around 7PM EST, April 10th, 2026. However, it is possible it was much earlier than this, this is just when people began noticing and discussing it online.
From an extremely high-level overview, it appears the ultimate goal of this malware is data theft, specifically browser credentials. However, I could be wrong in that assessment, but I'm fairly confident in it. I'm guessing this is the end goal because when I emulated it I can see it messing with Google Chrome's IElevation COM interface (trying to dump and decrypt saved passwords). However, between this it does a bunch of other stuff too.
1. They (an unknown Threat Actor) compromised http://cpuid.com
to deliver malware from HWMonitor. It impacts the actual installer as well as the portable installer. It downloads stuff from supp0v3-dot-com, the same domain used from a previous malware campaign targeting FileZilla in the beginning of March, 2026 initially reported by MalwareBytes.
2. HWMonitor comes packaged with a malicious CRYPTBASE.dll. CRYPTBASE.dll is a legitimate Windows library, but they made a fake one to blend in (malware masquerading). This DLL is responsible for connecting to their C2 and downloading the other malware stages.
3. It tries to detect emulation and prevent reverse engineering by checking for the presence of specific registry keys on the machine. However, they failed doing this and didn't account for everything. Notably, they only check for VirtualBox (whomp, whomp).
4. It downloads a .cs file from a remote C2 and then compiles it manually on the machine by invoking .NET stuff. This is an interesting strategy. It does all of this via Powershell (LOLBIN nonsense).
5. The .cs file it compiles is a .NET binary with NTDLL exports. The main HWMonitor binary performs process injection using this compiled .NET binary. This is an interesting strategy.
6. Almost everything it does is performed in-memory. I would have to do through this and manually bonk all of this stuff with a stick and determine precisely how it operates. However, I don't think that is necessary because at this point we know this is malware and we know it's trying to steal browser credentials.
+2 points for IElevation COM Interface credential dumping
+1 point for inline Powershell CLI DLL compilation
+1 point for .NET assembly NTDLL export proxying
-1 point for botched anti-emulation
+2 points for website compromise and supply chain attack
+1 point for memory persistence
-3 points for recycling the same C2 from March, 2026 campaign
Overall I give this malware a B-. This is pretty good malware.
π₯81β€18π€£14π5π1π’1
I woke up this morning curious as to what my peers had discovered about this cpuid shenanigans. I was not disappointed.
Several of my peers ripped this thing apart much more thoroughly than I did. I am immensely impressed by how neurotic some of you are when bonking malware with sticks (N3mes1s).
To make a long story short, the cpuid-dot-com compromise, CPU-Z malware, and HWMonitor malware campaign was performed using "STX Rat". STX Rat is a new malware family discovered around early March, 2026, and has been gaining some traction.
Interestingly, a really in-depth analysis of it was published April 8th, 2026 by eSentire (I'll link in subsequent post, research was performed by YungBinary). From my super quick bonking I was correct this cpuid malware campaign does indeed steal credentials. However, what I missed was that it also allows the Threat Actor remote desktop capabilities into your machine.
I also missed some of it's unusual hashing capabilities, .db Powershell persistence method, ... and some other really cool malware technologies it utilizes. This is NOT trash malware. The people who wrote this very clearly know what they're doing.
Very interesting stuff
Several of my peers ripped this thing apart much more thoroughly than I did. I am immensely impressed by how neurotic some of you are when bonking malware with sticks (N3mes1s).
To make a long story short, the cpuid-dot-com compromise, CPU-Z malware, and HWMonitor malware campaign was performed using "STX Rat". STX Rat is a new malware family discovered around early March, 2026, and has been gaining some traction.
Interestingly, a really in-depth analysis of it was published April 8th, 2026 by eSentire (I'll link in subsequent post, research was performed by YungBinary). From my super quick bonking I was correct this cpuid malware campaign does indeed steal credentials. However, what I missed was that it also allows the Threat Actor remote desktop capabilities into your machine.
I also missed some of it's unusual hashing capabilities, .db Powershell persistence method, ... and some other really cool malware technologies it utilizes. This is NOT trash malware. The people who wrote this very clearly know what they're doing.
Very interesting stuff
β€56π₯12π₯°9β€βπ₯4π€3
vx-underground
I woke up this morning curious as to what my peers had discovered about this cpuid shenanigans. I was not disappointed. Several of my peers ripped this thing apart much more thoroughly than I did. I am immensely impressed by how neurotic some of you are whenβ¦
Analysis from eSentire:
https://www.esentire.com/blog/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities
https://www.esentire.com/blog/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities
eSentire
STX RAT: A new RAT in 2026 with Infostealer Capabilities
Learn more about the STX RAT, a newly discovered remote access trojan targeting financial services industry, and learn more about how to protect your organization from this cyber threat.
π₯°25β€7π₯5
Chat, I've changed my mind. We have some problems in the AI department.
It turns out someone compromised the Mexican government to an unbelievable extent using nothing but Claude and ChatGPT. I'll link the full paper in the subsequent post. However, here is the highlights of how an unknown Threat Actor "vibe hacked" the Mexico government.
Data stolen from...
1. SAT (Servicio de Administracion Tributaria) - Federal tax authority:
- 195 million taxpayer records
- 52 million directory records
2. Estado de Mexico - State government:
- 15.5M vehicle registry records
- 3.6M property owner records
3. Registro Civil de CDMX - Mexico City civil registry:
- 220M civil records
4. Jalisco state government:
- 50K patient records
- 17K domestic violence victim records
- 36K healthcare employee records
- 180K digital government records
5. INE (Instituto Nacional Electoral) - National electoral institute:
- 13.8K voter card records
6. Michoacan state government:
- 2.28M property records
- 2K user accounts with plaintext passwords
7. SADM Monterrey (Agua y Drenaje) Municipal water utility:
- 3.5K procurement and vendor records
- 5K procurement bid records
It turns out someone compromised the Mexican government to an unbelievable extent using nothing but Claude and ChatGPT. I'll link the full paper in the subsequent post. However, here is the highlights of how an unknown Threat Actor "vibe hacked" the Mexico government.
Data stolen from...
1. SAT (Servicio de Administracion Tributaria) - Federal tax authority:
- 195 million taxpayer records
- 52 million directory records
2. Estado de Mexico - State government:
- 15.5M vehicle registry records
- 3.6M property owner records
3. Registro Civil de CDMX - Mexico City civil registry:
- 220M civil records
4. Jalisco state government:
- 50K patient records
- 17K domestic violence victim records
- 36K healthcare employee records
- 180K digital government records
5. INE (Instituto Nacional Electoral) - National electoral institute:
- 13.8K voter card records
6. Michoacan state government:
- 2.28M property records
- 2K user accounts with plaintext passwords
7. SADM Monterrey (Agua y Drenaje) Municipal water utility:
- 3.5K procurement and vendor records
- 5K procurement bid records
π€£53β€7π«‘5π±3π₯°2π2π―2π1
vx-underground
Chat, I've changed my mind. We have some problems in the AI department. It turns out someone compromised the Mexican government to an unbelievable extent using nothing but Claude and ChatGPT. I'll link the full paper in the subsequent post. However, hereβ¦
gambit.security
A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report | Balens Blog
In February, we published our initial findings on the AI-assisted breach of Mexico's government infrastructure, warning of the elevated risk that AI-powered threat actors now pose. A single operator used AI to breach nine Mexican government organizationsβ¦
π₯°24π€£7π±4β€1
This media is not supported in your browser
VIEW IN TELEGRAM
The United States economy is doing so bad financially motivated Threat Actors don't even want to steal from us Ameriburgers anymore. They're stealing from Mexicans now :(
π’71π€£43π₯°11β€7π€―4π―2
RockStar Games being extorted (again)
ShinyHunters were able to get data from Rockstar Games by compromising a third-party entity (Anodot) which allowed them to pivot to SnowFlake which allowed them pivot to RockStar Games data.
What data they were able to get is unknown.
ShinyHunters were able to get data from Rockstar Games by compromising a third-party entity (Anodot) which allowed them to pivot to SnowFlake which allowed them pivot to RockStar Games data.
What data they were able to get is unknown.
π₯°52β€7π7π±4π€©4π2
This media is not supported in your browser
VIEW IN TELEGRAM
I don't care what those nerds at Kaspersky say, I stand by my opinion STX Rat is a solid B- malware.
Yeah, the cpuid-dot-com operation was a gigantic fumble, but the malware is pretty neat, far superior to the generic crimeware you find online.
I'm happy LTT included the cat
Yeah, the cpuid-dot-com operation was a gigantic fumble, but the malware is pretty neat, far superior to the generic crimeware you find online.
I'm happy LTT included the cat
π63π₯17π10β€4π₯°1π€£1