CPU-Z / HWMonitor: Watering Hole Attack - Copy-Paste Method

    Tuesday, April 14, 2026 In: Threat Research Print

    Date: 04/14/2026

    Severity: High

    Summary

    A watering hole attack compromised the official CPUID website, replacing legitimate download links for popular tools like CPU-Z and HWMonitor with malicious versions. The trojanized installers included legitimate signed executables alongside a malicious DLL (CRYPTBASE.dll) that used DLL sideloading to establish C2 communication and execute payloads after passing anti-sandbox checks. The attackers reused infrastructure and configurations from a previous campaign, highlighting a “copy-paste” approach to rapidly deploy similar supply chain-style attacks against trusted software sources. 

    Indicators of Compromise (IOC) List

    Domains/Urls

    https://welcome.supp0v3.com

    https://cahayailmukreatif.web.id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/perfmonitor-2_2.04.zip

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/PerfMonitor2_Setup.exe

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitor-pro_1.57.zip

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor_1.63.zip

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/hwinfo_monitor_setup.exe

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/cpu-z_2.19-en.zip

    https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitorpro_1.57_setup.exe

    https://transitopalermo.com/config/hwmonitor/hwmonitor_1.63.zip

    https://transitopalermo.com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe

    https://transitopalermo.com/config/hwmonitor/HWiNFO_Monitor_Setup.exe

    https://vatrobran.hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip

    https://vatrobran.hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip

    https://vatrobran.hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe

    https://vatrobran.hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe

    Hash

    d0568eaa55f495fd756fa205997ae8d93588d2a2

    02a53d660332c25af623bbb7df57c2aad1b0b91b

    9253111b359c610b5f95ef33c2d1c06795ab01e9

    2f717a77780b8f6b2d853dc4df5ed2b90a3a349a

    7c615ce495ac5be1b64604a7c145347adbcd900c

    c417c3a4b094646d06a06103639a5c9faabc9ba4

    8351a43a0c0455e4b0793d841fe12625f072f9b4

    6a71656c289201f742787f48398056fcd2aa7274

    c65e515b9c9655c651c939b94574cf39b40a8be2

    3041a4e2bc5ccefbfd2222a9e23614fb79d6db63

    4e3195399a9135247e55781ad13226c6b0e86c0d

    4597f546a622ae55e0775cbcc416b3f1dfd096ce

    a06955d253711385eaa6f5af76fa9fa47bdeb1e9

    6b49823483889bc1ad152a1be52d1385c4e0affb

    3041a4e2bc5ccefbfd2222a9e23614fb79d6db63

    c65e515b9c9655c651c939b94574cf39b40a8be2

    4f3d8c47239bd1585488ce431d931457f101104c

    ba19e03ca03785e89010672d7e273ac343e4699a

    e2464454017cd02a8bc6744596c384cf91cdd67e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://welcome.supp0v3.com" or url like "https://welcome.supp0v3.com" or siteurl like "https://welcome.supp0v3.com" or domainname like "https://vatrobran.hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip" or url like "https://vatrobran.hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip" or siteurl like "https://vatrobran.hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip" or domainname like "https://transitopalermo.com/config/hwmonitor/HWiNFO_Monitor_Setup.exe" or url like "https://transitopalermo.com/config/hwmonitor/HWiNFO_Monitor_Setup.exe" or siteurl like "https://transitopalermo.com/config/hwmonitor/HWiNFO_Monitor_Setup.exe" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitor-pro_1.57.zip" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitor-pro_1.57.zip" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitor-pro_1.57.zip" or domainname like "https://cahayailmukreatif.web.id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe" or url like "https://cahayailmukreatif.web.id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe" or siteurl like "https://cahayailmukreatif.web.id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/PerfMonitor2_Setup.exe" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/PerfMonitor2_Setup.exe" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/PerfMonitor2_Setup.exe" or domainname like "https://transitopalermo.com/config/hwmonitor/hwmonitor_1.63.zip" or url like "https://transitopalermo.com/config/hwmonitor/hwmonitor_1.63.zip" or siteurl like "https://transitopalermo.com/config/hwmonitor/hwmonitor_1.63.zip" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/cpu-z_2.19-en.zip" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/cpu-z_2.19-en.zip" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/cpu-z_2.19-en.zip" or domainname like "https://vatrobran.hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip" or url like "https://vatrobran.hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip" or siteurl like "https://vatrobran.hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor_1.63.zip" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor_1.63.zip" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor_1.63.zip" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/hwinfo_monitor_setup.exe" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/hwinfo_monitor_setup.exe" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/hwinfo_monitor_setup.exe" or domainname like "https://vatrobran.hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe" or url like "https://vatrobran.hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe" or siteurl like "https://vatrobran.hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitorpro_1.57_setup.exe" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitorpro_1.57_setup.exe" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor-pro/hwmonitorpro_1.57_setup.exe" or domainname like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/perfmonitor-2_2.04.zip" or url like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/perfmonitor-2_2.04.zip" or siteurl like "https://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/perfmonitor/perfmonitor-2_2.04.zip" or domainname like "https://vatrobran.hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe" or url like "https://vatrobran.hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe" or siteurl like "https://vatrobran.hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe" or domainname like "https://transitopalermo.com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe" or url like "https://transitopalermo.com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe" or siteurl like "https://transitopalermo.com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe"

    Detection Query 2 :

    sha1hash IN ("7c615ce495ac5be1b64604a7c145347adbcd900c","c417c3a4b094646d06a06103639a5c9faabc9ba4","4e3195399a9135247e55781ad13226c6b0e86c0d","2f717a77780b8f6b2d853dc4df5ed2b90a3a349a","6b49823483889bc1ad152a1be52d1385c4e0affb","e2464454017cd02a8bc6744596c384cf91cdd67e","c65e515b9c9655c651c939b94574cf39b40a8be2","a06955d253711385eaa6f5af76fa9fa47bdeb1e9","4f3d8c47239bd1585488ce431d931457f101104c","ba19e03ca03785e89010672d7e273ac343e4699a","4597f546a622ae55e0775cbcc416b3f1dfd096ce","9253111b359c610b5f95ef33c2d1c06795ab01e9","3041a4e2bc5ccefbfd2222a9e23614fb79d6db63","6a71656c289201f742787f48398056fcd2aa7274","8351a43a0c0455e4b0793d841fe12625f072f9b4","02a53d660332c25af623bbb7df57c2aad1b0b91b","d0568eaa55f495fd756fa205997ae8d93588d2a2")

    Reference:    

    https://securelist.ru/tr/cpu-z/115158/


    Tags

    MalwareTrojanDLLSupply chain attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.