Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet
ID: fc1ff62c-0a8e-565f-a7eb-02c3ce35509f
STIX ID: report--fc1ff62c-0a8e-565f-a7eb-02c3ce35509f
Feed Name: LevelBlue SpiderLabs Blog
Threat Score
This report analyzes a trojanized CPUID HWMonitor installer used to deliver a sophisticated, multi-stage fileless malware chain that abuses trusted Windows utilities (PowerShell, MSBuild, regsvr32) and .sct scriptlets to reconstruct and deserialize a .NET payload from obfuscated IPv6-style strings for in-memory execution; it provides technical details, defensive recommendations, and IOCs including file hashes and a C2 URL.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.