Cyber Threat Brief — April 12 2026

1. CPUID Supply-Chain Attack Delivers STX RAT — CPU-Z / HWMonitor

TL;DR: Attackers compromised CPUID’s download API (April 9–10) and served trojanized CPU-Z 2.19 and HWMonitor installers containing a Zig-compiled CRYPTBASE.dll sideload that drops STX RAT with HVNC, credential theft, and DoH-based C2.

What’s New:

Compromise window: ~April 9 15:00 UTC to April 10 10:00 UTC; download URLs redirected to attacker-controlled Cloudflare R2 buckets
Technique: legitimate signed CPUID executables repackaged with malicious CRYPTBASE.dll (DLL sideloading via LoadLibrary search order)
Loader chain: Zig-compiled DLL → embedded shellcode → IPv6-encoded .NET deserialization → STX RAT core
Persistence via MSBuild inline task execution and script-based scheduled tasks
C2 uses DNS-over-HTTPS to resolve welcome.supp0v3.com; same infrastructure linked to March 2026 trojanized FileZilla campaign
150+ confirmed victims per Kaspersky telemetry; primarily individual users and sysadmins

Actionable Intel

Artifact	Type	ATT&CK	Log Source	Action
`CRYPTBASE.dll` outside `%SystemRoot%\System32`	File	T1574.001	EDR, Sysmon EID 7 (ImageLoaded)	Alert — legitimate `cryptbase.dll` loads only from System32
SHA-256 `52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6`	Hash (STX RAT)	T1059.001	EDR, AV	Block
`welcome.supp0v3.com`	Domain (C2)	T1071.001	DNS logs, proxy, Zeek `dns.log`	Block and hunt — also check DoH traffic to `dns.google`, `cloudflare-dns.com` with this domain in queries
DNS-over-HTTPS POST requests to `dns.google/resolve` or `cloudflare-dns.com/dns-query` from non-browser processes	Network	T1071.004	Proxy, Zeek, EDR network telemetry	Hunt — legitimate DoH rare from `cpuz.exe` or `MSBuild.exe`
`MSBuild.exe` spawning from user temp or AppData paths	Process	T1127.001	Sysmon EID 1, EDR	Alert — MSBuild persistence for .NET inline task execution
Downloads from `*.r2.cloudflarestorage.com` by CPUID executables	URL	T1195.002	Proxy logs, browser history	Hunt — legitimate CPUID downloads use `download.cpuid.com`

Detection

Source	Rule	Gap
Splunk ESCU	`Detect CRYPTBASE DLL Sideloading` (generic sideload), `MSBuild Suspicious Process`	No rule specific to CRYPTBASE.dll outside System32 — write custom
Elastic	`DLL Side-Loading via a Renamed Legitimate Application`	Doesn’t key on `CRYPTBASE.dll` specifically; needs custom rule for non-System32 path
Sigma	`sysmon_dll_sideloading_cryptbase.yml` (community), `win_susp_msbuild.yml`	DoH-based C2 from non-browser processes lacks coverage

Sources: Kaspersky Securelist · The Hacker News · BleepingComputer · N3mes1s Analysis · Cyderes

2. Storm-1175 Chains Zero-Days for High-Velocity Medusa Ransomware — CVE-2026-23760

TL;DR: China-linked Storm-1175 exploited CVE-2026-23760 (SmarterMail auth bypass) and CVE-2025-10035 (GoAnywhere MFT) as zero-days, moving from initial access to Medusa ransomware deployment in under 24 hours. Healthcare, education, and professional services orgs in US/UK/AU are primary targets.

What’s New:

CVE-2026-23760: unauthenticated password reset of SmarterMail admin accounts via force-reset-password API — no token or prior auth required; affects versions prior to build 9511
Storm-1175 exploited both CVEs approximately one week before public disclosure
Post-compromise chain: web shell or RMM tool → admin account creation → RDP enabled via Windows Firewall modification → Defender exclusions set → lateral movement via PsExec/PowerShell/Impacket → data staged with Bandizip → exfil via Rclone to cloud storage → Medusa deployed via PDQ Deployer (RunFileCopy.cmd)
Microsoft reports sub-24-hour dwell time in multiple intrusions
Same actor linked to historical exploitation of Exchange, PaperCut, Ivanti, ConnectWise, TeamCity, SimpleHelp, CrushFTP, BeyondTrust

Actionable Intel

Artifact	Type	ATT&CK	Log Source	Action
`POST /api/force-reset-password` to SmarterMail from external IP	URI/HTTP	T1190	Web server access logs, WAF, reverse proxy	Block external access; alert on any unauthenticated call to this endpoint
`RunFileCopy.cmd` executed by PDQ Deployer service	File/Process	T1072	Sysmon EID 1, EDR, Windows Event Log	Alert — PDQ executing batch scripts for ransomware delivery
`Rclone.exe` or `rclone` process with `sync` or `copy` flags to external cloud storage	Process/CLI	T1567.002	EDR, Sysmon EID 1, command-line logging	Alert — data exfiltration tool
`Bandizip.exe` / `bz.exe` archiving sensitive directories	Process/CLI	T1560.001	Sysmon EID 1, EDR	Hunt — unusual archiving tool in enterprise environments
New Windows Firewall rule enabling inbound RDP (port 3389)	Config	T1562.004	Windows Security EID 4946, Sysmon EID 13	Alert — firewall rule modification enabling remote access
Defender exclusion paths added via `Set-MpPreference -ExclusionPath`	Config	T1562.001	Defender operational log EID 5007, PowerShell ScriptBlock	Alert — Defender tampering
Cloudflare tunnel binaries (`cloudflared.exe`) or new admin accounts post-exploitation	Process/Account	T1572, T1136.001	EDR, Windows Security EID 4720	Alert

Detection

Source	Rule	Gap
Splunk ESCU	`Rclone Process Execution`, `PsExec Lateral Movement`, `Windows Defender Exclusion Added`	No rule for PDQ Deployer abuse or SmarterMail auth bypass URI pattern
Elastic	`Rclone Execution`, `PsExec Network Connection`, `Windows Firewall Rule Modification`	No SmarterMail-specific rule; PDQ Deployer as deployment vector not covered
Sigma	`win_proc_creation_rclone.yml`, `win_defender_exclusion.yml`, `win_firewall_rule_add.yml`	No coverage for Bandizip staging or `force-reset-password` API abuse

Sources: Microsoft Security Blog · The Hacker News · Dark Reading · NVD CVE-2026-23760

Status Updates

CVE-2026-39987 (Marimo): Sysdig confirms 150+ exploitation attempts in first 48 hours; no public PoC yet but attack tooling is trivial (WebSocket client). Previous brief.
CyberAv3ngers PLC Campaign (AA26-097A): STIX/JSON IOC package now available from CISA; 5,219 Rockwell PLCs identified as internet-exposed per Shodan. Previous brief.