CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads
ها هي الترجمة بالدارجة المغربية مع الحفاظ على بنية Markdown والروابط والكود:
CPUID Website Compromise: Popular Hardware Tools Used to Spread STX RAT
TL;DR
The official CPUID website was compromised for a 19-hour window between April 9 and April 10, 2026. Attackers exploited a secondary API to replace legitimate download links for CPU-Z and HWMonitor with malicious URLs. Users who downloaded the software during this time may have been infected with the STX RAT, a powerful remote access trojan.
Overview of the Breach
CPUID, the developer behind essential hardware diagnostic utilities such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, recently fell victim to a "watering hole" attack.
According to reports, unknown threat actors gained unauthorized access to the site's infrastructure for less than 24 hours. During this window, the attackers manipulated the website to serve trojanized versions of the software. While the breach was short-lived, it serves as a stark reminder of how even trusted software repositories can be weaponized against their users.
Incident Timeline and Technical Root Cause
The compromise was active during the following period:
- Start: April 9, 15:00 UTC
- End: April 10, 10:00 UTC
CPUID confirmed the incident via a post on X (formerly Twitter). The company explained that the breach originated through a "secondary feature" or a "side API." This vulnerability allowed the main website to randomly display malicious download links instead of the official ones.
Importantly, CPUID stated that their original signed files were not impacted or modified; instead, the download buttons were rerouted to external rogue servers hosting malicious copies.
The Infection Chain: DLL Side-Loading
According to analysis from Kaspersky, the attackers distributed the malware via both ZIP archives and standalone installers. The attack utilized a sophisticated technique known as DLL side-loading:
- Legitimate Wrapper: The package included a legitimate, signed executable for the CPUID product to avoid raising suspicion.
- Malicious DLL: Alongside the legitimate file was a malicious DLL named
CRYPTBASE.dll. - Execution: When the user ran the software, the legitimate executable automatically loaded the malicious DLL.
- Evasion: Before full execution, the malware performed anti-sandbox checks to ensure it was not running in a virtual environment used by security researchers.
The Payload: STX RAT
The ultimate goal of the campaign was to deploy STX RAT, a potent Remote Access Trojan. As detailed by security firm eSentire, this malware provides attackers with extensive control over a compromised system, including:
- HVNC (Hidden Virtual Network Computing): Allowing attackers to interact with the desktop without the user’s knowledge.
- Infostealing: Broad capabilities to exfiltrate sensitive data.
- Remote Execution: In-memory execution of EXE, DLL, PowerShell, and shellcode.
- Post-Exploitation: Capabilities for reverse proxying and tunneling to further penetrate a network.
A Trail of Reused Infrastructure
Security researchers noted that the threat actors showed relatively poor operational security (OPSEC). The C2 (Command and Control) server addresses and connection configurations used in the CPUID breach were identical to those used in a prior campaign involving fake FileZilla installers documented by Malwarebytes earlier this year.
By reusing the same infrastructure, the attackers made it significantly easier for security firms to identify and mitigate the threat quickly.
Impact and Victimology
Kaspersky has identified over 150 victims so far. While the majority are individual users, the breach also impacted organizations across several sectors, including:
- Retail and Manufacturing
- Consulting and Telecommunications
- Agriculture
Geographically, the highest concentration of infections was found in Brazil, Russia, and China.
Rogue Domains to Watch
If you or your organization downloaded software from CPUID during the active window, check your network logs for traffic related to these rogue domains identified by Kaspersky:
cahayailmukreatif.web[.]idpub-45c2577dbd174292a02137c18e7b1b5a.r2[.]devtransitopalermo[.]comvatrobran[.]hr
Conclusion
The CPUID breach highlights the ongoing risks associated with software supply chains and watering hole attacks. Although the attackers were quickly thwarted due to reused infrastructure, the 19-hour window was sufficient to compromise hundreds of systems globally. Users who downloaded CPUID tools on April 9th or 10th are strongly advised to scan their systems for signs of unauthorized CRYPTBASE.dll files and STX RAT activity.
Source: https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html
