CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads
#Security

CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads

Security Reporter
4 min read

Popular hardware monitoring tools CPU-Z and HWMonitor were trojanized during a 24-hour CPUID website breach, distributing STX RAT malware to over 150 victims across multiple countries through DLL side-loading attacks.

Unknown threat actors compromised CPUID's website for less than 24 hours to distribute trojanized versions of popular hardware monitoring tools, deploying a sophisticated remote access trojan called STX RAT to unsuspecting users worldwide.

The Breach Timeline

The incident occurred between approximately April 9, 15:00 UTC, and April 10, 10:00 UTC, when download URLs for CPU-Z and HWMonitor installers were replaced with links to malicious websites. CPUID confirmed the breach on social media, attributing it to a compromise of a "secondary feature (basically a side API)" that caused the main site to randomly display malicious links.

How the Attack Worked

The attackers employed a sophisticated DLL side-loading technique, distributing trojanized software both as ZIP archives and standalone installers. Each malicious package contained:

  • A legitimate signed executable for the corresponding product
  • A malicious DLL named "CRYPTBASE.dll" designed to leverage DLL side-loading

Once executed, the malicious DLL performs anti-sandbox checks to avoid detection before contacting external servers and executing additional payloads. The ultimate goal was to deploy STX RAT, a remote access trojan with extensive capabilities.

STX RAT Capabilities

According to eSentire's analysis, STX RAT offers comprehensive remote control functionality:

  • Broad command set for remote control
  • Follow-on payload execution
  • Post-exploitation actions including in-memory execution of EXE/DLL/PowerShell/shellcode
  • Reverse proxy/tunneling capabilities
  • Desktop interaction features
  • HVNC (Hidden Virtual Network Computing) capabilities
  • Broad infostealer functionality

Connection to Previous Campaigns

The attack bears striking similarities to a prior campaign documented by Malwarebytes in early March, which used trojanized FileZilla installers to deploy the same STX RAT malware. The threat actors reused the same command-and-control server addresses and connection configurations, demonstrating poor operational security practices.

Global Impact

Kaspersky identified more than 150 victims, with infections concentrated in:

  • Brazil
  • Russia
  • China

However, organizations across multiple sectors were also affected, including retail, manufacturing, consulting, telecommunications, and agriculture. The breach highlights the widespread risk posed by supply chain attacks targeting trusted software distribution channels.

Technical Analysis

The attackers' operational security was notably weak, as evidenced by their reuse of infrastructure and techniques. Kaspersky noted that "the overall malware development/deployment and operational security capabilities of the threat actor behind this attack are quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it started."

Protection and Response

Users who downloaded CPU-Z or HWMonitor from CPUID during the affected timeframe should:

  1. Scan their systems with updated antivirus software
  2. Monitor for unusual network activity
  3. Check for the presence of CRYPTBASE.dll in system directories
  4. Consider reinstalling legitimate versions from verified sources

The incident underscores the critical importance of supply chain security and the need for robust verification mechanisms when downloading software from even trusted sources.

Industry Context

This attack represents a concerning trend in supply chain compromises, where legitimate software distribution channels are hijacked to deliver malware at scale. The use of hardware monitoring tools as the attack vector is particularly insidious, as these applications typically run with elevated privileges and are trusted by system administrators and power users.

Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit

The CPUID breach comes amid a wave of significant security incidents, including:

  • Apple's expansion of iOS 18.7.7 to block the DarkSword exploit
  • A new Chrome zero-day (CVE-2026-5281) under active exploitation
  • Microsoft's warning about WhatsApp-delivered VBS malware
  • Fortinet's patch for actively exploited CVE-2026-35616 in FortiClient EMS

The convergence of these threats highlights the increasingly complex threat landscape facing organizations and individuals alike.

Lessons Learned

This incident offers several critical takeaways for both users and organizations:

  1. Supply chain attacks are becoming more sophisticated - Even trusted software vendors can be compromised
  2. Operational security matters - The attackers' reuse of infrastructure led to their detection
  3. Verification is crucial - Users should verify software integrity before installation
  4. Monitoring is essential - Organizations need robust monitoring to detect unusual behavior
  5. Response time is critical - CPUID's quick response limited the potential damage

The CPUID breach serves as a stark reminder that no software distribution channel is immune to compromise, and vigilance remains essential in today's threat landscape.

#supply chain attack#STX RAT#DLL side-loading#Hardware Monitoring#Malware

Comments

Loading comments...
Back to Home