HIGH: CPUID Website Breach Spreads STX RAT Through Trojanized CPU-Z and HWMonitor Downloads

If you downloaded CPU-Z or HWMonitor between April 9th and 10th, you might want to sit down for this one. The official CPUID website was compromised for roughly 19 hours, and during that window, attackers swapped out the legitimate download links with malicious ones that delivered a remote access trojan called STX RAT. For anyone who has ever built a PC, overclocked a processor, or done basic hardware diagnostics, CPU-Z is practically a household name. HWMonitor is just as ubiquitous in IT circles. That makes this supply chain attack particularly insidious because it targeted software that millions of people trust implicitly.

According to analysis from Kaspersky, the breach occurred when threat actors compromised what CPUID described as a "secondary feature" or side API that controlled download links on the main site. This caused the website to randomly serve malicious URLs instead of pointing to the legitimate software packages. The good news, if there is any, is that CPUID's signed original files were never actually tampered with. The attackers simply redirected users to completely different websites hosting trojanized versions of the tools.

The malicious download links pointed to a handful of rogue domains including cahayailmukreatif.web.id, a Cloudflare R2 storage bucket at pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev, transitopalermo.com, and vatrobran.hr. Victims who clicked those links received either ZIP archives or standalone installers that appeared legitimate at first glance. Inside was a properly signed executable for CPU-Z or HWMonitor, sitting right alongside a malicious DLL named CRYPTBASE.dll. This setup takes advantage of a classic technique called DLL side-loading. When the legitimate application runs, Windows looks for required DLLs in a specific order, and if the attacker places a malicious DLL in the same directory with the right name, it gets loaded instead of the real one.

Once loaded, the malicious DLL performs a series of anti-sandbox checks to avoid detection in security analysis environments. If it decides the coast is clear, it reaches out to an external command-and-control server and pulls down additional payloads. The end goal is deploying STX RAT, a relatively new remote access trojan that first appeared on security researchers' radars earlier this year.

STX RAT packs a concerning amount of capability into one package. According to analysis from eSentire published just last week, the malware offers Hidden Virtual Network Computing, which allows attackers to interact with the victim's desktop without the user ever seeing it happening. It also includes broad infostealer functionality for harvesting credentials, browser data, and other sensitive information. On top of that, STX RAT supports in-memory execution of executables, DLLs, PowerShell scripts, and raw shellcode, meaning attackers can run almost anything they want without ever dropping files to disk. Reverse proxy and tunneling capabilities round out the toolkit, giving operators the ability to pivot through compromised machines to reach other systems on the network.

The command set exposed by STX RAT is extensive enough to support everything from initial reconnaissance through full post-exploitation. That makes it useful not just for smash-and-grab credential theft but also for longer-term persistence and lateral movement. For organizations that had employees inadvertently download the trojanized software, this creates a real headache because the malware could have been quietly operating in the background for days before anyone noticed something was wrong.

Here is where the story gets interesting. Kaspersky noted that the threat actors behind this CPUID compromise made a significant operational security blunder. The command-and-control server address and connection configuration were identical to infrastructure used in a previous campaign that Malwarebytes documented in early March. That earlier operation involved fake FileZilla installer downloads hosted on lookalike websites, and it distributed the exact same STX RAT payload. By reusing the same infection chain and C2 domains, the attackers essentially left a trail of breadcrumbs that security researchers could follow almost immediately.

The overall assessment from Kaspersky was blunt. The malware development, deployment, and operational security capabilities of this threat actor are "quite low." That sloppiness is actually what enabled defenders to detect the watering hole compromise as soon as it started. Not every attacker operates with nation-state-level tradecraft, and this group clearly prioritized speed and scale over stealth.

Kaspersky identified more than 150 victims as of their analysis. The majority were individuals who downloaded the trojanized software for personal use, which makes sense given CPU-Z's popularity among PC enthusiasts and hobbyist overclockers. However, the victim pool also included organizations in retail, manufacturing, consulting, telecommunications, and agriculture. Even if an employee downloaded the software on their work machine just to check system temperatures or verify hardware specs, that single download could have introduced STX RAT into the corporate environment.

Geographically, most infections were concentrated in Brazil, Russia, and China. The distribution pattern suggests the attackers did not target any specific region but rather cast a wide net and caught whoever happened to download during the compromise window.

If you or anyone in your organization downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from the official CPUID website between approximately April 9 at 15:00 UTC and April 10 at 10:00 UTC, assume the worst. Check the file hash of the installer against known-good values published by CPUID. Look for the presence of CRYPTBASE.dll in the same directory as the application executable, since that file should not exist in a legitimate installation. Run a full endpoint detection scan with updated signatures, and if your security tools support behavioral analysis, review any suspicious outbound connections to the domains mentioned earlier.

For organizations with mature security programs, this is a good time to verify that your application allowlisting and download monitoring controls would catch this type of supply chain substitution. The attackers did not actually modify signed binaries, so traditional code-signing verification would not have helped here. What would have helped is detecting an unexpected domain serving the download, or flagging the presence of an unexpected DLL during execution.

Supply chain attacks continue to be one of the most effective ways for threat actors to reach large numbers of victims quickly. By compromising a trusted source, attackers bypass the normal skepticism that users might apply to a random download link in an email. In this case, the CPUID website is exactly the kind of resource that security-conscious users would consider safe. If you cannot trust the official vendor's download page, what can you trust?

This incident also highlights the importance of monitoring your software supply chain even for seemingly innocuous utility applications. CPU-Z is not exactly enterprise-critical software, but it runs with full user privileges and any malware delivered alongside it inherits those privileges. IT teams often focus their supply chain concerns on major business applications while overlooking the small tools that employees download to troubleshoot hardware or run diagnostics. Attackers know this and deliberately target software that flies under the corporate security radar.

CPUID moved quickly to remediate the breach, and the 19-hour window was relatively short compared to some supply chain compromises that persist for weeks or months. Still, 19 hours was more than enough time for 150 plus victims to get infected, and the real number is likely higher since not everyone's endpoint telemetry feeds into Kaspersky's visibility.

The bottom line is this. Even trusted software from trusted vendors can become a threat vector with zero warning. Keep your endpoint protection updated, verify downloads when possible, and maintain visibility into what applications are running across your environment. The next watering hole compromise might not be caught as quickly as this one was.