Neiki

Threat Insights Portal! * A lot of updates * V2 Release soon! * New Secondary domain: threat.rip And more! Join the discord: tip.neiki.dev/discord

Warning: The current HWmonitor download and possibly other PC monitoring applications, may be infected with viruses. More info: reddit.com/r/pcmasterrace…

@vxunderground app.any.run/tasks/60a79c68…

Yeah, so pretty much this cpuid.com malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload. This appears to only impact HWMonitor 64bit. It appears (based on user reports) cpuid became malicious around 7PM EST, April 10th, 2026. However, it is possible it was much earlier than this, this is just when people began noticing and discussing it online. From an extremely high-level overview, it appears the ultimate goal of this malware is data theft, specifically browser credentials. However, I could be wrong in that assessment, but I'm fairly confident in it. I'm guessing this is the end goal because when I emulated it I can see it messing with Google Chrome's IElevation COM interface (trying to dump and decrypt saved passwords). However, between this it does a bunch of other stuff too. 1. They (an unknown Threat Actor) compromised cpuid.com to deliver malware from HWMonitor. It impacts the actual installer as well as the portable installer. It downloads stuff from supp0v3-dot-com, the same domain used from a previous malware campaign targeting FileZilla in the beginning of March, 2026 initially reported by MalwareBytes. 2. HWMonitor comes packaged with a malicious CRYPTBASE.dll. CRYPTBASE.dll is a legitimate Windows library, but they made a fake one to blend in (malware masquerading). This DLL is responsible for connecting to their C2 and downloading the other malware stages. 3. It tries to detect emulation and prevent reverse engineering by checking for the presence of specific registry keys on the machine. However, they failed doing this and didn't account for everything. Notably, they only check for VirtualBox (whomp, whomp). 4. It downloads a .cs file from a remote C2 and then compiles it manually on the machine by invoking .NET stuff. This is an interesting strategy. It does all of this via Powershell (LOLBIN nonsense). 5. The .cs file it compiles is a .NET binary with NTDLL exports. The main HWMonitor binary performs process injection using this compiled .NET binary. This is an interesting strategy. 6. Almost everything it does is performed in-memory. I would have to do through this and manually bonk all of this stuff with a stick and determine precisely how it operates. However, I don't think that is necessary because at this point we know this is malware and we know it's trying to steal browser credentials. +2 points for IElevation COM Interface credential dumping +1 point for inline Powershell CLI DLL compilation +1 point for .NET assembly NTDLL export proxying -1 point for botched anti-emulation +2 points for website compromise and supply chain attack +1 point for memory persistence -3 points for recycling the same C2 from March, 2026 campaign Overall I give this malware a B-. This is pretty good malware.

CPUID compromised (HWMonitor) #malware #fakefilezilla threat.rip/file/eefc0f986… @anyrun_app app.any.run/tasks/60a79c68…

CPU-Z and HWMonitor nerd (@d0cTB) put out a statement. Compromise was present for approx. 6 hours. This is an extremely short period of time. Also, extremely fast response by the nerds at cpuid.

Bluehammer Privilege escalation via Microsoft Defender. No patch yet github.com/Nightmare-Ecli… #0day #lpe

Minecraft mod voidrealms-1.8.9.jar downloads an Electron based stealer 0/65 on VT Offending class file: YourMod.class Download URL: hxxps://stellar-conquest[.]fr/setup.exe 🧵 virustotal.com/gui/file/7d68f…

@struppigel Interesting finding! I first discovered this via a Discord Server. The first campaign downloaded NovaShadow Stealer and now switched to GalaxyStealer. Exact same pattern (Above the one i found some days ago)

@vxgiveaways @HackerStick3rs good luck

Giveaway Time - 150 Cool Stickers 30 winners 5 Stickers Each Comment below and follow @HackerStick3rs Winners chosen in 24 hours

🔥𝗡𝗲𝘄 𝗔𝗣𝗧𝟮𝟴 𝗱𝗼𝗺𝗮𝗶𝗻 𝘂𝘀𝗲𝗱 𝗳𝗼𝗿 𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟮𝟭𝟱𝟬𝟵 𝗰𝗮𝗺𝗽𝗮𝗶𝗴𝗻 Based on @anyrun_app sandbox submissions and intelligence lookup, I just found another new domain associated with APT28 used for CVE-2026-21509 attack campaign. The domain 48d83469-d0c6-4ade-8f82-e383fff094b8[.]webhook[.]site Let's Encrypt certificate was just created yesterday on the 7 Feb and hosted on a Hetzner Cloud Server residing in Germany. I am sharing the SHA256 of the word RTF document so that defenders can block or monitor this hash in their environment. 🫡 𝗔𝗣𝗧𝟮𝟴 𝗡𝗲𝘄 𝗗𝗼𝗺𝗮𝗶𝗻: 48d83469-d0c6-4ade-8f82-e383fff094b8[.]webhook[.]site 𝗪𝗼𝗿𝗱 𝗥𝗧𝗙 𝗦𝗛𝗔𝟮𝟱𝟲: 506e7512c897514e9d312a1532d2e2949ec8ebd73f6ca52740fb5e3306f08843 #Cybersecurity #Threathunting #APT28

@UK_Daniel_Card What platform is this ? 👀

notepad-plus-plus.org/downloads/v8.9… a21550189e7d796054b9b8fed5a1c3b7adf7bdcad179c7c51e730fc56c2c1cdf

Notepad++ compromised (long pedantic version so nerds shut up) - Notepad++ update infrastructure was compromised - Notepad++ suspects it is the Chinese government - No evidence provided currently demonstrating why they suspect it was the Chinese government - Only "select targets" were delivered malicious Notepad++ from update infrastructure - No information is provided who "select targets" were - No information provided why they believe it was selective - No information on what was delivered to "selective targets" - Compromise timeline blurry - "Incident began" JUNE, 2025 - Hosting infrastructure says "September 2, 2025" - Attackers maintained access until "December 2nd, 2025" - Notepad++ states they believe compromise was JUNE THROUGH DECEMBER, conflicting with hosting provider - No analysis released yet on "exact technical mechanism" - No IoCs (Indicator of compromise) released

Honored to be a top contributor and a part of the Threat Intelligence Community. Glad to see @abuse_ch and @spamhaus recognizing the work done by volunteers :D

Thank you @abuse_ch & @spamhaus for the acknowledgment and recognition. #ThreatIntel

64ea03152588e16eae41bbb011dbc1474dd45e154c7b8eb2941f650be4a00e65 @malwrhunterteam @Neiki__ @virustotal

@skocherhan @malwrhunterteam @virustotal Very interesting vidar samples, thanks for sharing!

@akinkunmi Hey, Are you interested to prevent abuse of your service in the future? :D I work closely with a platform to stop and detect abused free tunnel / dns / providers by Malware. Take a look: abuse.uncoverit.org Let me know if you are interested to join

ngrok, but cooler and 100% open-source. OutRay is live. 🚀 Expose your development server to the internet in seconds. Jump in here: 👉 outray.dev

@vxunderground @ddd1ms 😼

It is time for our first giveaway. We're giving away a Librem 14 from Purism. It's a fancy expensive $1,400+- laptop. Requirements: - Follow @ddd1ms on Xitter - Comment below Librem is a pro-privacy laptop that unironically comes with a fuckin' kill switches for mic, bluetooth, camera. It has Intel Management engine disabled. It runs PureOS, with app sandboxing, adblocking, tracking protection, etc. This laptop is basically a privacy nerd laptop. It also comes with a bunch of NSA stickers, HOPE (Hackers on Planet Earth) stickers, FBI Most Wanted stickers, etc. I forgot to ask for the specs on the laptop, but I'll get that stuff later on. Attached image is the laptop he'll mail to your home.

I would have reported it via Tickets but @virustotal doesn’t reply to my Ticket since months

I love the new @virustotal update, broke all comments 🫩