Cyberattack Compromises CPUID Website, Distributing STX RAT Through Popular Hardware Tools

Unknown threat actors successfully compromised CPUID (cpuid.com), a widely trusted website renowned for hosting essential hardware monitoring utilities such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for a period of less than 24 hours. This sophisticated attack involved the malicious replacement of legitimate software installers with trojanized versions, leading to the deployment of the potent STX Remote Access Trojan (RAT) on unsuspecting users’ systems. The incident, which highlights the escalating risks within software supply chains, underscores the critical need for vigilance among both software vendors and end-users.

The breach occurred between approximately April 9, 15:00 Coordinated Universal Time (UTC), and April 10, 10:00 UTC. During this critical window, the official download links for popular CPU-Z and HWMonitor installers on the CPUID website were surreptitiously replaced with redirects to malicious websites. Users attempting to download these tools inadvertently received compromised executables, facilitating the stealthy infiltration of their systems. This "watering hole" attack tactic leverages the trust users place in legitimate software distribution channels, making it particularly insidious and effective.

The Breach Unfolds: A Detailed Chronology

The timeline of the CPUID compromise, though brief, demonstrates a calculated and impactful operation by the threat actors. The incident began with the initial compromise of CPUID’s infrastructure, specifically targeting what the company later described as a "secondary feature" or "side API." This suggests that the attackers did not necessarily gain root access to the entire server or directly alter the core website files initially, but rather exploited a peripheral component that allowed them to manipulate content displayed to users.

• April 9, 15:00 UTC: Threat actors gain initial access to a "secondary feature (basically a side API)" on cpuid.com. This access allowed them to inject malicious links or redirect legitimate download requests.
• During the compromised window (April 9, 15:00 UTC – April 10, 10:00 UTC): The download Uniform Resource Locators (URLs) for widely used software like CPU-Z and HWMonitor were altered. Instead of linking to the authentic, digitally signed installers, users were directed to rogue websites hosting trojanized versions of the software. These malicious downloads were distributed both as standard ZIP archives and standalone executable installers, designed to appear indistinguishable from the genuine articles.
• April 10, 10:00 UTC: The compromise was detected and remediated by CPUID. The malicious links were removed, and the integrity of the download process was restored. The rapid response, while crucial, could not prevent infections that occurred during the nearly 19-hour window of vulnerability.
• Following Remediation: CPUID issued a public statement on X (formerly Twitter) confirming the breach. This swift communication aimed to inform users and provide reassurance, emphasizing that their "signed original files" were not impacted, indicating the core binaries themselves remained untampered, but the distribution mechanism was compromised.
• Subsequent Analysis: Cybersecurity firms like Kaspersky and eSentire conducted in-depth analyses, identifying the specific malware (STX RAT), its capabilities, and linking the threat actors to previous campaigns. Kaspersky, in particular, noted the rapid detection due to the threat actors’ reuse of infection chains and command-and-control (C2) infrastructure.

Technical Modus Operandi: How the Attack Worked

The method employed by the threat actors was a sophisticated form of supply chain attack, leveraging a technique known as DLL side-loading. When a user downloaded what they believed to be a legitimate CPUID tool, they were in fact downloading a package containing two main components:

1. A legitimate, digitally signed executable: This was the actual CPU-Z or HWMonitor program. Its inclusion served to lend credibility to the malicious package and ensure the software would function as expected, thus avoiding immediate suspicion from the user.
2. A malicious Dynamic Link Library (DLL): This critical component was specifically named CRYPTBASE.dll. The choice of this name is deliberate, as CRYPTBASE.dll is a legitimate Windows system DLL. By naming their malicious file identically, the attackers exploited a common vulnerability in how Windows applications load libraries. When the legitimate executable was run, it would attempt to load CRYPTBASE.dll. If a malicious version of this DLL was placed in the same directory as the executable, the operating system would often load the malicious version first, before searching for the legitimate system DLL. This technique, known as DLL side-loading or DLL hijacking, allows the attacker’s code to execute with the privileges of the legitimate application.

Upon execution, the malicious CRYPTBASE.dll would initiate contact with an external command-and-control (C2) server. Before fetching additional payloads, the DLL was programmed to perform anti-sandbox checks. These checks are designed to detect if the malware is running within a virtualized environment or a security researcher’s analysis sandbox. By doing so, the malware attempts to evade detection and analysis, only fully deploying its capabilities on genuine user systems. If a sandbox environment is detected, the malware might remain dormant or exit, preventing security analysts from observing its full malicious functionality.

The Malicious Payload: STX RAT’s Extensive Capabilities

The ultimate objective of this campaign was the deployment of STX RAT, a relatively new but highly capable remote access trojan that cybersecurity firm eSentire had analyzed just a week prior to the CPUID breach. STX RAT is far from a simple infostealer; it possesses a broad spectrum of functionalities that grant attackers extensive control over compromised systems:

• HVNC (Hidden Virtual Network Computing): This feature allows the attackers to create a hidden desktop session on the victim’s machine, enabling them to interact with the system’s graphical user interface (GUI) without the user’s knowledge. This is particularly dangerous as it can be used to perform actions like banking transactions, access web services, or manipulate files directly, all while the legitimate user sees no activity.
• Broad Infostealer Capabilities: STX RAT is designed to exfiltrate sensitive information, including but not limited to:
  • Credentials stored in web browsers, email clients, and other applications.
  • Financial data, such as credit card numbers and banking details.
  • Personal identifiable information (PII).
  • Documents and files from the compromised system.
  • Cryptocurrency wallet information.
• Remote Control and Follow-on Payload Execution: The RAT provides attackers with comprehensive remote control over the infected system. This includes the ability to:
  • Execute arbitrary commands.
  • Upload and download files.
  • Modify system configurations.
  • Deploy additional malware or tools (e.g., ransomware, cryptominers, other infostealers) post-exploitation.
• Post-Exploitation Actions: STX RAT supports a variety of advanced post-exploitation techniques:
  • In-memory execution: It can execute Portable Executables (EXEs), Dynamic Link Libraries (DLLs), PowerShell scripts, and shellcode directly in memory, leaving minimal traces on disk and making detection harder.
  • Reverse Proxy/Tunneling: This allows the attackers to route their network traffic through the compromised machine, obscuring their true origin and potentially bypassing network firewalls.
  • Desktop Interaction: Beyond HVNC, it provides direct interaction with the user’s desktop, enabling screen capturing, keylogging, and even direct manipulation of applications visible to the user.

Such extensive capabilities make STX RAT a formidable threat, capable of causing significant data breaches, financial losses, and persistent compromise for both individuals and organizations.

CPUID’s Official Response and Mitigation Efforts

In the wake of the incident, CPUID promptly utilized its official X account to confirm the breach. The company’s statement attributed the compromise to an attack on a "secondary feature (basically a side API)" which resulted in the main site "randomly display[ing] malicious links." This explanation suggests that the core web server or main application database might not have been directly breached, but rather a less critical, perhaps less secured, component was exploited to manipulate the front-end content presented to users.

Crucially, CPUID also highlighted that the attack "did not impact its signed original files." This distinction is vital: it means the legitimate CPU-Z, HWMonitor, and other tools that CPUID digitally signs were not themselves tampered with or replaced on CPUID’s own secure storage. Instead, the attackers managed to redirect users to external, malicious hosts serving trojanized versions. This clarification helps reassure users who may have already downloaded legitimate, signed files prior to or after the incident, but it does not diminish the severity of the temporary distribution compromise.

While CPUID’s rapid detection and remediation, along with their public communication, are positive steps, the incident inevitably raises questions about the security posture of secondary systems and APIs within widely used software distribution platforms. The company is expected to conduct a thorough post-mortem analysis to identify the root cause of the "side API" compromise and implement enhanced security measures to prevent future occurrences, potentially including more stringent access controls, regular security audits, and real-time monitoring of all external-facing components.

Insights into the Threat Actors

Kaspersky’s analysis provided valuable insights into the threat actors behind the CPUID compromise, despite their identity remaining unknown. A critical observation was the reuse of the command-and-control (C2) server addresses and connection configurations. This infrastructure had previously been linked to a "prior campaign" documented by Malwarebytes just weeks before. That campaign involved the distribution of trojanized FileZilla installers, hosted on bogus sites, to deploy the exact same STX RAT malware. Furthermore, earlier in March 2026, Malwarebytes also reported on fake 7-Zip downloads turning home PCs into proxy nodes, possibly hinting at an even broader campaign using similar tactics.

This pattern of reuse is a significant operational security (OpSec) blunder for the attackers. For cybersecurity researchers, it acts as a breadcrumb trail, allowing them to connect disparate attacks and attribute them to the same group. Kaspersky explicitly stated, "The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers."

The cybersecurity firm further assessed the threat actor’s overall capabilities: "The overall malware development/deployment and operational security capabilities of the threat actor behind this attack are quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it started." This assessment suggests that while the attack was effective in its brief window, the group is not exceptionally sophisticated in terms of novel malware development or maintaining anonymity. Their reliance on proven, albeit detectable, techniques and infrastructure indicates a group that might be opportunistic or less experienced than state-sponsored actors, yet still capable of causing significant damage due to the effectiveness of their chosen methods. This "low-end" sophistication, paradoxically, can make them harder to predict, as they may prioritize speed and volume over stealth.

Victim Profile and Geographic Distribution

Kaspersky reported identifying more than 150 victims directly impacted by the CPUID compromise. While the majority of these victims were individuals, the scope of the attack extended to various organizational sectors, underscoring the broad threat posed by such compromises. Affected organizations were identified in:

• Retail: Businesses in the retail sector, potentially leading to point-of-sale system compromise or corporate network breaches.
• Manufacturing: Industrial control systems or proprietary intellectual property could be at risk.
• Consulting: Firms handling sensitive client data, raising concerns about client confidentiality.
• Telecommunications: Critical infrastructure providers, posing national security risks.
• Agriculture: Though seemingly less obvious, modern agriculture relies heavily on technology, and compromise could affect operational efficiency or supply chains.

Geographically, the majority of the infections were concentrated in three regions: Brazil, Russia, and China. The reasons for this specific distribution are not explicitly stated but could be related to:

• User base of CPUID tools: A higher density of users in these regions.
• Targeting: The threat actors might have specific interests in these regions, or their previous campaigns might have gained traction there.
• Language and cultural factors: The malicious sites or social engineering tactics used might have been tailored for these demographics.
• Cybersecurity awareness/infrastructure: Varying levels of cybersecurity awareness or the prevalence of certain security software in these regions could influence infection rates.

The impact on these victims could range from personal data theft and financial fraud for individuals to significant operational disruption, intellectual property theft, and reputational damage for businesses. The presence of STX RAT on organizational networks poses a severe threat, as it can serve as a beachhead for further lateral movement, privilege escalation, and more destructive attacks.

Broader Implications for Software Supply Chain Security

The CPUID incident serves as a stark reminder of the ever-present and growing threat of supply chain attacks. In today’s interconnected digital ecosystem, businesses and individuals rely heavily on third-party software and services. A compromise at any point in this supply chain – from development to distribution – can have cascading effects, impacting thousands or even millions of end-users.

• Trust Exploitation: The core vulnerability exploited in supply chain attacks is trust. Users trust that software downloaded from official vendor websites is legitimate and safe. When this trust is breached, it undermines the fundamental principles of secure software distribution.
• Widespread Impact: Even a brief compromise, as seen with CPUID, can lead to a significant number of infections due to the popularity of the software. CPU-Z and HWMonitor are used by millions of PC enthusiasts, system builders, and IT professionals worldwide.
• Sophistication of Attackers: While Kaspersky assessed the threat actors’ OpSec as low, their ability to compromise a legitimate website and deploy a feature-rich RAT demonstrates a level of sophistication that demands serious attention from vendors.
• Digital Signatures Aren’t Enough: While CPUID emphasized that its "signed original files" were not impacted, this incident demonstrates that digital signatures alone cannot fully protect users if the distribution mechanism is compromised. Attackers can still serve unsigned or maliciously signed files, or, as in this case, use DLL side-loading with a legitimate signed executable. Users must still verify the source and integrity of their downloads.
• Third-Party Risk Management: For organizations, this incident highlights the critical importance of robust third-party risk management. Relying on popular tools means accepting the security posture of their vendors. Organizations must assess the security practices of all software suppliers and have contingency plans for potential compromises.

Recommendations for Users and Organizations

To mitigate the risks highlighted by the CPUID breach and similar supply chain attacks, both individual users and organizations must adopt proactive cybersecurity measures:

For Individual Users:

1. Download from Official Sources: Always download software directly from the vendor’s official website. Avoid third-party download sites, even if they seem reputable.
2. Verify Integrity: If available, check the cryptographic hash (e.g., MD5, SHA256) of downloaded files against the values provided on the official website. Any discrepancy indicates tampering.
3. Use Reputable Antivirus/Endpoint Protection: Keep your antivirus software updated and perform regular scans. While not foolproof, it can detect known malware.
4. Practice Least Privilege: Run applications with the minimum necessary permissions. Avoid running as an administrator unless absolutely required.
5. Maintain Backups: Regularly back up important data to an offline or cloud storage solution to recover from data loss due to malware.
6. Stay Informed: Follow cybersecurity news and advisories to be aware of ongoing threats and compromises.
7. Monitor Network Activity: While advanced, tools like firewalls can help monitor outgoing connections and block suspicious traffic from newly installed applications.

For Organizations:

1. Implement Endpoint Detection and Response (EDR): EDR solutions can detect suspicious behaviors, such as DLL side-loading or unusual network connections, that traditional antivirus might miss.
2. Network Segmentation: Isolate critical systems and data on separate network segments to limit the lateral movement of malware in case of a breach.
3. Supply Chain Risk Management: Vet all third-party software vendors. Understand their security practices, conduct regular audits, and establish clear incident response protocols.
4. Employee Training: Educate employees about phishing, social engineering, and the risks of downloading software from unverified sources.
5. Regular Security Audits and Penetration Testing: Proactively identify vulnerabilities in internal systems and third-party integrations.
6. Application Whitelisting: Allow only approved applications to run on corporate endpoints, significantly reducing the risk from unauthorized or malicious software.
7. Patch Management: Ensure all operating systems and applications are kept up-to-date with the latest security patches.
8. Threat Intelligence Integration: Subscribe to and integrate threat intelligence feeds to stay informed about new malware, attack techniques, and compromised indicators.

The Evolving Threat Landscape

The CPUID compromise is not an isolated incident but rather a symptom of a broader trend in the cyber threat landscape. Threat actors are increasingly shifting their focus from direct attacks on high-security targets to exploiting vulnerabilities in the software supply chain. By compromising a single, trusted vendor, they can gain access to a vast network of unsuspecting users. This approach is often more cost-effective and yields a higher return on investment for attackers.

The persistence of Remote Access Trojans like STX RAT, coupled with their evolving capabilities (HVNC, advanced infostealing, stealthy execution), underscores the continuous arms race between attackers and defenders. While the threat actors in this specific case might have exhibited "low" operational security, their ability to repeatedly compromise legitimate distribution channels for popular software highlights a significant vulnerability that the entire digital ecosystem must collectively address. As technology advances and software ecosystems become more complex, the need for robust security measures, shared responsibility, and constant vigilance will only intensify. The CPUID incident serves as a critical call to action for all stakeholders in the digital world to prioritize and strengthen their cybersecurity defenses.