Date: 05/14/2026
Severity: High
Summary
This campaign involves a trojanized version of the legitimate HWMonitor application used to deliver the STX RAT malware. The attackers leveraged DLL sideloading to execute malicious payloads through trusted binaries, helping evade detection. The infection chain included multi-stage payload delivery, persistence mechanisms, and process injection techniques for stealthy execution. The malware also established command-and-control communication over encrypted channels to maintain remote access. The campaign highlights how threat actors abuse legitimate software and trusted Windows components to bypass traditional security controls.
Indicators of Compromise (IOC) List
Domain : | https://welcome.supp0v3.com/d/callback http://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip |
Hash : | f19f331562052baea0114d5186bbffd4
ab122aa36bfebf4f249c4eb617e4a6cb
D3C186869F443B6C1BE127A59B0B5A89
ADAB6C337E403AF0040D77A56DAF3BA0
9BF17E6525A295FB6E5EB562DEB927AE
C781B1B559A585BB764B10176D64486C
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://welcome.supp0v3.com/d/callback" or url like "https://welcome.supp0v3.com/d/callback" or siteurl like "https://welcome.supp0v3.com/d/callback" or domainname like "http://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip" or url like "http://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip" or siteurl like "http://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip" |
Detection Query 3 : | md5hash IN ("f19f331562052baea0114d5186bbffd4","ADAB6C337E403AF0040D77A56DAF3BA0","C781B1B559A585BB764B10176D64486C","ab122aa36bfebf4f249c4eb617e4a6cb","D3C186869F443B6C1BE127A59B0B5A89","9BF17E6525A295FB6E5EB562DEB927AE")
|
Reference:
https://gurucul.com/blog/hwmonitor-trojanized-to-deliver-multi-stage-stx-rat-via-dll-sideloading/