The recent CPU-Z incident is an interesting example of a supply chain attack using a well-known but often overlooked technique: DLL sideloading. In the video below, Daniel Schell, Airlock Digital Chief Research Officer, walks through the CPU-Z DLL sideloading attack, why it was effective in this case, and how Airlock Digital prevents this technique with a Deny by Default allowlisting approach.
What makes this case notable is that the attackers did not need to replace or trojanise the main application itself. Instead, they used a legitimate CPU-Z binary and relied on DLL sideloading through Windows DLL search order behaviour to get malicious code loaded alongside it.
When a program looks for a required DLL, Windows may search the application’s local directory before resolving the intended system copy. By placing a malicious DLL next to a trusted executable and giving it the expected name, an attacker can cause the legitimate application to load and run malicious code as part of its normal startup process.
So while this sits within the broader category of supply chain attacks, the compromise was not really about modifying the trusted application binary. It was about abusing how a legitimate executable loads DLLs at runtime. That makes it a useful reminder that trusted software can still become a vehicle for execution when attackers can control what sits beside it.
There is nothing especially new about the technique itself, but it remains effective precisely because the behavior is effectively invisible to end users, unless developers look for it.
Airlock Digital prevents this type of attack by controlling not just the primary executable, but the additional code it attempts to load. Even where a legitimate signed application is allowed to run, an unsigned or untrusted DLL used in the sideload chain can still be blocked, breaking the attack before the payload executes.
For Windows developers, Microsoft provides guidance on reducing the risk of DLL sideloading and search order hijacking in its documentation on Dynamic-Link Library Security.
IOCs:
CRYPTBASE.DLL, SHA256: 49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524