Zig malware

Tank · April 10, 2026, 6:04pm

gist.github.com

https://gist.github.com/N3mes1s/b5b0b96782b9f832819d2db7c6684f84

ANALYSIS.md

# CPU-Z 2.19 Supply Chain Attack - Malware Analysis Report

**Date:** 2026-04-10
**Analyst:** nemesis
**Classification:** Trojan / Backdoor (Alien RAT variant)
**Severity:** CRITICAL
**Campaign ID:** `CityOfSin` (extracted from C2 callback UTM parameters)
**Scope:** CPUID official domain compromise affecting CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2, powerMAX + separately FileZilla
**Status:** Breach confirmed and fixed by CPUID; site was compromised ~6 hours on April 9-10, 2026
**CPUID Statement:** "A secondary feature (a side API) was compromised for approximately six hours [...] causing the main website to randomly display malicious links. Our signed original files were not compromised."

This file has been truncated. show original

mnemnion · April 10, 2026, 6:10pm

Uh.

Zig mentioned!

Sze · April 10, 2026, 6:55pm

Looks like a nothing burger to me.
Why would I care that Zig was used to create some malware?
That Zig was used seems to be almost completely tangential.

spiffyk · April 10, 2026, 6:58pm

I see this mostly as a fun fact that Zig is now popular enough to have been used in malware. I agree it’s nothing consequential in regard to Zig itself, though.

whitehexagon · April 10, 2026, 7:19pm

Depends if virus checkers start scanning for those standard embedded Zig strings and start false flagging Zig binaries as potential malware. But I guess the strings could be changed in that case.

Sze · April 10, 2026, 7:28pm

If they did that, it would be dumb non-sense methodology.

whitehexagon · April 10, 2026, 8:09pm

Agreed, seems I misread section 9, there is an and clause in there for the proxy names as well as the Zig strings.