Malicious Campaign Targets Windows Portal to Distribute CPU-Z Malware

Malicious Campaign Targets Windows Portal to Distribute CPU-Z Malware

A new malvertising campaign has been revealed in a recent research by cybersecurity company Malwarebytes, in which threat actors are using a smart strategy to spread dangerous software.

The attackers used articles from a legitimate Windows tutorial website,, to trick users into downloading a malicious installer for the popular processor tool, CPU-Z.

Malvertising operations typically imitate the appearance of software vendor pages in order to dupe victims. In this case, however, the threat actor went above and above by impersonating the entire Windows Report website, which is regularly visited by geeks and system administrators looking for computer reviews, recommendations, and software applications.

The Windows Report itself was never compromised, according to Malwarebytes, and the incident is part of a larger malvertising effort targeting other utilities such as Notepad++, Citrix, and VNC Viewer. The cybersecurity firm swiftly notified Google about the campaign, giving crucial information for takedown.

CPU-Z, a popular Windows application for debugging processor and system details, is advertised in the malicious ad.

Threat actors use cloaking strategies to avoid discovery. When people click on the malicious ad without being the targeted victim, they are directed to a typical blog with unrelated content, which is a frequent approach used to deflect suspicion.

Actual victims are sent to a URL, workspace-app[.]online, which mimics the content of, after clicking the ad. Victims who expect to officially download CPU-Z may be misled because the URL in the address bar does not match the actual one.

Credits: MalwarebytesLabs

The malicious payload is a digitally signed MSIX installer that includes a misleading PowerShell script and the FakeBat loader. The script exposes the malware’s command and control server as well as the remote payload known as the Redline stealer.

Malwarebytes has responded by blocking the malicious URLs for all of its clients. ThreatDown, powered by Malwarebytes, has also identified the final infostealer payload, as well as coverage for its command and control servers.

It is speculated that the creation of a decoy site impersonating Windows Report is intended to capitalize on the prevalent practice of getting software applications from such portals rather than official web pages.

Furthermore, using a signed MSI installer increases the authenticity of the infection, making it more difficult to detect by operating systems and antivirus software.