u/ChemicalMemory

PSA - New Corsair AI Workstation 300 Arrived Infected!!
▲ 23 r/Corsair+2 crossposts

PSA - New Corsair AI Workstation 300 Arrived Infected!!

PSA - Corsair AI Workstation 300 (Revival/Refurbished Series) came with active malware (Virus:Win64/Expiro.DD!MTB) straight out of the box

Posting this as a warning for anyone looking at Corsair’s Revival line, specifically the AI Workstation 300.

I bought a Corsair AI Workstation 300, Revival Series, for $2,719.99 (sad to say but a great price in the current environment) Specs are Ryzen AI Max+ 395, 128GB RAM, and dual 2TB SSDs. It also comes with a 90-day warranty instead of standard coverage, which is worth knowing going in.

Full disclosure, I work in cybersecurity and offensive cyberspace operations professionally. That said, my home setup was not exactly a model of best practices. My home network was flat, with no VLANs and no real segmentation. That part is on me. I am not pretending I had a perfect lab environment here.

The unit arrived with the stock Windows 11 install. The first odd thing I noticed was that it would not complete the Windows 11 setup over Wi-Fi during the Out-of-Box Experience. It kept failing. I eventually got impatient and plugged it directly into my router with ethernet so I could finish setup.

Once I got to the desktop for the first time, before I installed any third-party software, Windows Security started throwing active detections. A lot of them. They were all flagged as Severe and Active, and they were all the same threat:

Virus/Expiro.DD!MTB

Defender was not just cleaning them up and moving on. It kept showing action needed, and the remediation loop did not appear to be resolving the issue.

Around the same general time, I got a Microsoft account sign-in notification from an unfamiliar device showing a location in Harare, Zimbabwe. I cannot prove from my side exactly how that happened, but the timing was close enough that I treated it as related until proven otherwise.

I immediately moved to a separate machine, started account recovery, regained access, changed credentials, and killed active sessions. After that, I started treating anything that had been on the same flat network as potentially exposed.

I also had trouble accessing my router admin panel during the same window. I am not going to claim with certainty that the router was compromised, because I do not have enough evidence to prove that. But given everything else going on, I treated it as unsafe, pulled it offline, reset it, flashed clean firmware, changed admin credentials, changed the SSID, and hardened the wireless settings.

The part I am still most concerned about is the NAS. I had a NAS on the same LAN with years of data on it. I physically disconnected it and started reviewing logs and scanning it from a clean system. The logs showed an authenticated session from the Corsair’s MAC address during the same general window. I do not know yet whether anything malicious was written to the NAS, but that was enough for me to take it seriously.

For anyone unfamiliar with Expiro, it is a file-infecting virus family that targets Windows executables. Rather than just dropping one obvious malicious file, it can infect legitimate .exe files. That makes cleanup more annoying because you may not be dealing with a single file to delete. You may be dealing with a system where many executables have been touched.

That also means mapped drives and shared folders matter. If infected executables were written to a shared location, the next system may not be infected immediately. The risk is that someone later runs one of those infected files.

My working theory, and I want to be clear that it is only a theory, is that this may be related to the refurbished Revival process. This could be a bad image, a failed drive wipe, or some other issue in the refurb pipeline. I am not claiming this affects new Corsair systems, and I am not claiming I can prove exactly where the infection came from yet. What I can say is that this machine started throwing severe Defender detections immediately after first boot, before I had installed anything myself.

Current status:

The Corsair is physically disconnected and isolated. I am doing a full secure erase of the SSDs, deleting all partitions, and reinstalling Windows from trusted installation media before it touches a network again.

The NAS is disconnected from the network while I scan the contents from a clean device and look specifically for infected executables or anything written during that access window.

I am rotating credentials that may have been exposed and moving more accounts toward hardware security keys where possible.

I opened an official support case with Corsair that includes the SKU and screenshots of the Defender detections. I have not received a resolution yet.

I am posting this before Corsair finishes responding because people buying refurbished systems should be careful about plugging them directly into a flat home network. At minimum, I would recommend isolating Revival/refurbished systems during first boot, wiping and reinstalling from trusted media, and not trusting the factory image until you verify it yourself.

Screenshots of the initial Defender logs that I first saw flying down the screen attached, for no real reason but help recreate the feeling of panic I felt when I first saw them, hahaahahaha.

Has anyone else bought from the Corsair Revival line recently and seen anything like this?

https://preview.redd.it/8xikn3awn0bh1.jpg?width=3024&format=pjpg&auto=webp&s=8672c9271ed83e9c2fd6d809c1f88383fea77e72

reddit.com
u/ChemicalMemory — 3 days ago