Summary of "Stop Updating Your Software (No, Seriously)"

Key technical takeaways

Between April 3–10, attackers served trojanized installers for CPU-Z and HWMonitor by replacing official download links with a Cloudflare R2 bucket containing malicious .exe files. The campaign used DLL sideloading and in-memory .NET execution, reused infrastructure from prior campaigns, and employed operational measures to hinder attribution and takedown.

Incident

Trojanized installers for popular PC hardware tools (CPU-Z and HWMonitor) were distributed via compromised download links between April 3–10.
Attackers replaced official download URLs with links to a Cloudflare R2 bucket hosting malicious .exe files.

Attack techniques

DLL sideloading
- The malicious installers shipped a DLL with the same name the legitimate binary expected, causing the DLL to be loaded and executed with the binary’s privileges.
In-memory .NET execution
- The payload used .NET/assembly loading to run in memory, then connected to remote command-and-control (C2).
High-port C2 communications
- Malware communicated with C2 on non-standard/high ports (example: port 31415) to evade simple detection.
Supply-chain website compromise
- Investigators suspect abuse of the webserver (Apache + mod_rewrite) or accessible config files (YAML/JSON) to change download links to attacker-controlled storage.
Infrastructure operational security
- Domains, registrars, hosting, and other infrastructure were distributed across regions (e.g., Hong Kong registrar, Caribbean hosting) and included language mismatches (Russian-language installer dialogs) to complicate attribution and takedown.

Observed indicators and reuse

Reuse of tooling/infrastructure
- The same C2 infrastructure and sideloading technique were linked to a prior trojanized FileZilla campaign.
Telltale signs of fake installers
- Wrong filename, unexpected language in installer dialogs (e.g., Russian dialogs for a French vendor), and other unexpected behavior.

Detection and mitigation guidance

Verify installer provenance
- Check filenames, display language, digital signatures, and confirm downloads originate from expected vendor domains.
Monitor network traffic
- Watch for unusual outbound connections, especially to strange IPs or high ports. Use passive DNS and network telemetry to detect reused malicious infrastructure.
Harden web infrastructure
- Patch and upgrade HTTP servers and components (e.g., Apache, mod_rewrite, CMS).
- Restrict file permissions so the webserver process cannot modify download configs or URL mappings.
Deploy IDS/endpoint rules
- Apply investigators’ Snort and YARA rules and the published IOCs to detect infections.
Credential exposure monitoring
- Use threat-intel and credential-monitoring services to detect stolen credentials appearing in stealer logs.
Prefer trusted hosting and TLS
- Be skeptical of installers hosted on temporary or unusual storage (e.g., ephemeral buckets). Prefer TLS and legitimate vendor domains for downloads.

Actionable artifacts available

BreakGlass incident report with IOCs and analysis (referenced in the video).
Snort and YARA signatures plus IOCs for the malicious samples (suitable for IDS and endpoint scanning deployment).

Reviews, guides, and tutorials mentioned

A prior channel video dissecting a similar campaign that used obfuscation and sideloading techniques (recommended for further viewing).
Practical in-video guidance on spotting compromised installers:
- Check filename and language
- Observe installer behavior for anomalies
- Apply IDS/YARA rules and validate download sources
- Monitor outbound traffic

Main speakers and sources cited

Video host / channel (presenter; unnamed in subtitles)
BreakGlass Intelligence (incident report and analysis)
CPUID (vendor of CPU-Z and HWMonitor)
HardwareInfo (referenced tool)
FileZilla (previously compromised project)
Cloudflare R2 (used by attackers to host malicious installers)
Flare (threat-intel sponsor offering stealer-log / credential monitoring)
Detection tooling: Snort, YARA, IDS/IPS, passive DNS

Example indicators (non-exhaustive)

High-port C2 example: TCP connections to port 31415
Language mismatches in installers (e.g., Russian dialogs for non-Russian vendors)
Downloads served from unexpected domains or storage buckets (Cloudflare R2 or other temporary buckets)

For detailed IOCs, Snort/YARA rules, and the full incident report, consult the BreakGlass/incident report and the artifacts linked in the referenced video.