John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Different threat actors. Different targets. Different payloads. Same fundamental trick.
CPUID’s official website quietly served a malicious installer for about six hours on April 9-10. Anyone who downloaded CPU-Z or HWMonitor during that window got STX RAT instead, delivered via a Russian-language Inno Setup wrapper. Roughly 150 victims. Retail, manufacturing, telecom. The same C2 infrastructure ran a nearly identical campaign against FileZilla users in March.
Meanwhile, a fake WakaTime extension has been spreading through Open VSX since December 2025 as part of the ongoing GlassWorm campaign. Install it and a Zig-compiled native binary drops outside the JavaScript sandbox, hunts down every IDE on your machine, installs a second malicious extension into each one, and phones home via the Solana blockchain, which makes domain seizures pointless.
Neither attack needed a vulnerability. Neither used phishing. Both worked because the attacker controlled the delivery channel and let normal user behavior do the rest.
Zig shows up in both payloads. It’s becoming the compilation choice for attackers who need stealth because detection tools were trained on C and C++ patterns, not Zig-compiled binaries.
If you downloaded from CPUID’s site Thursday or Friday: check for CRYPTBASE.dll in unexpected locations. If you installed specstudio.code-wakatime-activity-tracker at any point: assume full compromise and rotate every secret you can think of.