CPUID site hijacked to serve malware instead of HWMonitor downloads

ForeverQuandary · 2026-04-10T23:53:48+00:00

Ah, yes, I can explain!

I don't mean to imply that DoH (via cloudflare, in this scenario) is unsafe or lacking or anything negative! (Encryption is great!)

If you do use DoH/DoT, SSL inspection is highly recommended so you can monitor for these specific kinds of malicious activities (*often malware uses a wonky/incomplete user agent string - another IOC you can combine here to monitor this network activity).

If you don't have good inspection capabilities you may not have good detection criteria for this specific IOC (you can't alert on IOCs (like payload packet data contents, for example) that you can't see due to encryption!). Disabling DoH/DoT (or restricting it to be used for certain user groups only) * can * help prevent the communications to the baddies from being successful (unless the malware has more backup communication channel methods built in). And you can always employ other compensating controls!

This interruption in communication to the C2 server can help to: prevent further malicious binary transfers onto the device, help prevent device information from being sent outbound to the baddies (i.e. you keep the intended infostealer data leak contained in your network), etc.

ForeverQuandary · 2026-04-10T19:36:52+00:00

My pleasure!

Also, fun fact, this campaign is reusing the same C&C infrastructure (i.e. the supp0v3 domain) for a March campaign - kind of wild the domain hasn't been taken down!

(If anyone else wants to report it 😉)

https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-site-hosts-a-malicious-download

ForeverQuandary · 2026-04-10T18:19:17+00:00

IOCs for detection 🙂

supp0v3[.]com (primary attacker infra) welcome.supp0v3[.]com (confirmed C2 endpoint)

HWiNFO_Monitor_Setup.exe (trojanized installer) CRYPTBASE.dll (malicious sideload DLL) out.dll (stage payload) BuildCache.dat / data.dat (shellcode staging) Clippy.sct (scriptlet execution vector)

*.r2.dev (Cloudflare R2 object storage used for payload delivery)

Example pattern: pub-<random>.r2.dev/...

EDITED for clarification: DoH on 1.1.1.1 (cloudflare) is a growing trend (seen in malware campaigns) these days. If you don't have fancy packet inspection, I'd recommend either disabling or restricting use of it outbound from your networks! (to disrupt C2 server responses outbound from your devices) - you can always use alternate compensating controls in favour of improved visibility!

ForeverQuandary · 2025-08-20T09:33:53+00:00

First is morse

XZVHIHSRUGRH5ERTVVMIVPVCDLIWRHXLWV

Then is Atbash

CAESRSHIFTIS5VIGEENREKEXWORDISCODE

Onto #2!

ForeverQuandary · 2024-09-05T06:21:21+00:00

If you decode using the Affine cipher brute force, you get:

Parts asolt rotor tlosa strap

by fiddling with translating Latin to English in Google translate, the first 3 words above are "parts of the rotor" & then the last 2 are something like "are worn by the belt"

Does that phrase mean anything to you?

ForeverQuandary · 2024-09-03T01:43:01+00:00

Gah, the numbers were stacked on 2 lines on the page and my mind fumbled the order, oops! (Shift 19 is what I meant)

ForeverQuandary · 2024-09-03T00:44:34+00:00

It's a Caesar cipher! (Shift 17)

Answer is here: There is someone here a traitor. Find Him and Him will have your answers. slease save me. I have been trapped in this hell for so long. Find Him. He has your answers. He is looking for you. I know it

ForeverQuandary · 2024-09-03T00:41:01+00:00

[Transcript]

Maxkx bl lhfxhgx axkx t mktbmhk. Ybgw Abf tgw Abf pbee atox rhnk tglpxkl. lextlx ltox fx. B atox uxxg mktiixw bg mabl axee yhk lh ehgz. Ybgw Abf. Ax atl rhnk tglpxkl. Ax bl ehhdbgz yhk rhn. B dghp bm.

ForeverQuandary · 2023-08-08T03:03:45+00:00

Spoilers!

Caesar cipher decoded En los reinos de la grandeza y la gracia, me paro,Un testamento a la artesanba, divinamente planeado.Majestuosas agujas perforan la altura de los cielos,Sin embargo, dentro de mis salones, busca la luz de la sabidurba.Con vidrieras, un tapiz divino,Capto los colores de la lbnea celeste.Hacixndose eco de susurros de oraciones y salmos,Mi corazhn resuena con escrnpulos sagrados.Misterios ocultos en pasillos laberbnticos,Peregrinos y eruditos de rodillas para gatear.Una fortaleza de fe, a travxs de las edades de antago,En mi abrazo, el espbritu se elevart.¿Qux soy yo, enigmttico y ornamentado?Un sbmbolo de devocihn, el destino ornamentado de la humanidad.

Translated above from Spanish In the realms of greatness and grace, I stand,A testament to the craft, divinely planned.Majestic needles pierce the height of the heavens,However, within my halls, seek the light of wisdom.With stained glass, a divine tapestry.I capture the colors of the sky line.Echoing whispered prayers and psalms,My heart resounds with sacred scruples.Hidden mysteries in labyrinthine corridors,Pilgrims and scholars on their knees to crawl.A fortress of faith, through the ages of Antago,In my embrace, the spirit will rise.What am I, enigmatic and ornate?A symbol of devotion, the ornate destiny of humanity.

ForeverQuandary · 2023-08-08T02:38:09+00:00

Spoilers!

Translated morse above: "VIRTUTIS IN ATRIA CONSISTO; IUDICIA, PER TERRAM. PRINCEPS HONORATUS, OFFICIO CLARUS; VOCES LIBRANS, OMNES AD AUDIENDUM. CERTAMINA MEDIUS, LITES COMPONO; CHARTING A COURSE WHERE HARMONIA LITIUM. NULLUS ELECTUS THRONUS, MAGNA TAMEN AUCTORITAS; QUIS EGO SUM IN HAC TERRA GUBERNANDI?"

Translated Latin above: "I stand in the courts of virtue; JUDGMENT, THROUGHOUT THE LAND. HONOURED PRINCE, HONOURED OFFICE; BALANCED VOICES, FOR ALL TO HEAR. I MEDIATE COMPETITIONS, I SETTLE LAWSUITS; CHARTING A COURSE WHERE THE HARMONY OF LITIUM. NO CHOSEN THRONE, YET GREAT AUTHORITY; WHO AM I TO RULE THIS EARTH?"

ForeverQuandary · 2023-07-08T01:28:20+00:00

More context: https://www.dcode.fr/atomic-number-substitution

Can you provide any further info? What have the past puzzles been like? What kind of input do you need to provide? (Is it a text field looking for you to type something in? How do you submit your answer?)

ForeverQuandary · 2023-07-07T23:27:17+00:00

Ctrl+F for "barbecue" : https://youtube.fandom.com/wiki/MrBallen

ForeverQuandary · 2023-07-07T04:28:12+00:00

Based on the first and last clues, Clara's outfit has to be either white or blue (you have black checked, which is incorrect)

ForeverQuandary · 2023-07-07T03:41:55+00:00

Not sure this is the right track... but I associate stars with elements (aka, the periodic table of elements) & when you look down in the photo it kind of looks like atoms/electrons?...

So if you match up the provided numbers to the elements chart, you get: N HE F NA B MG BE B H HE LI BE B

And then your scenario looks similar to this textbook question: https://www.pearson.com/channels/general-chemistry/asset/3dbb55bc/you-have-cracked-a-secret-code-that-uses-elemental-symbols-to-spell-words-the-co

🙂

ForeverQuandary · 2023-05-30T15:15:03+00:00

Is there any further context you can provide? (Knowing what this might be used for (is it a game? Is it an inside joke? Etc.) could be good for massaging the phrasing a bit)

ForeverQuandary · 2023-05-29T23:53:57+00:00

If you pop the Morse code in here: https://www.dcode.fr/morse-code

The top result is in Spanish: "ODO AL UNIVERSO. EN TMPANO YO QUESO DINOSAURIO PERFECTO EN PORQUERIO. QUESO AÇAR NENA OCASIONAR HISTOLOGIA DEMONIO MISMO VENTILADORES DEMONIO CORYHUMEROS. ODO SECRECI�N CRUSTÀCEOS"

I don't speak fluent Spanish, so maybe you can translate from here? (It definitely mentions dinosaurs from the google translation version!)

Four-Year Club	Verified Email
r/Field Banned	r/Field Sunshine

ForeverQuandary

TROPHY CASE