Key Findings

• CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware

• Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables

• The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection

• Over 150 victims identified across individuals and organizations in retail, manufacturing, consulting, telecommunications, and agriculture sectors, primarily in Brazil, Russia, and China

• Attackers reused command-and-control infrastructure and infection chains from a prior FileZilla trojanization campaign, indicating low operational security

Background

CPUID operates cpuid.com, a legitimate software distribution platform for popular hardware monitoring tools including CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. These tools are widely used by IT professionals and enthusiasts to diagnose and monitor system hardware. The breach compromised this trusted distribution channel for less than 24 hours, allowing attackers to serve malicious software to unsuspecting users downloading legitimate tools.

Attack Duration and Scope

The compromise lasted from April 9 at 15:00 UTC to April 10 at 10:00 UTC. During this window, the main CPUID website randomly displayed malicious download links that redirected users to rogue domains. The threat actors did not compromise CPUID's digitally signed original files themselves, but rather manipulated a secondary feature operating as a side API that handled download redirects. CPUID confirmed this was the attack vector in their public statement about the incident.

Malicious Infrastructure and Distribution Method

The rogue websites hosting the trojanized installers included cahayailmukreatif.web.id, pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev, transitopalermo.com, and vatrobran.hr. The malicious software was distributed as both ZIP archives and standalone installers that appeared legitimate. Each infected installer contained a genuine, signed executable for the corresponding CPUID product bundled with a malicious DLL file named CRYPTBASE.dll to exploit DLL sideloading vulnerabilities.

Malware Capabilities and Execution

The malicious DLL contacts external command-and-control servers to execute additional payloads while performing anti-sandbox checks to evade detection systems. The final payload deployed was STX RAT, a remote access trojan with extensive capabilities including HVNC (Hidden Virtual Network Computing) and infostealer functionality. STX RAT provides attackers with broad command execution capabilities, including in-memory execution of EXE files, DLL files, PowerShell scripts, and shellcode, plus reverse proxy tunneling and remote desktop interaction.

Victim Impact and Geographic Distribution

Kaspersky identified more than 150 victims across multiple sectors. While most were individual users, organizations in retail, manufacturing, consulting, telecommunications, and agriculture were also compromised. Infections concentrated primarily in Brazil, Russia, and China. The relatively low number of victims reflects the brief window during which the malicious links were active.

Operational Security Failures

The threat actors made critical mistakes that aided detection. Most significantly, they reused the same command-and-control domain names, infection chains, and malware (STX RAT) from a previous campaign that targeted trojanized FileZilla installers in early March 2026. Security researchers noted that the overall malware development and operational security capabilities demonstrated by the threat actors were notably low, making it possible for security firms to detect and stop the compromise quickly after it began.

Remediation and User Recommendations

CPUID has confirmed the breach was remediated and the website now serves clean software versions. Users who downloaded CPU-Z, HWMonitor, or PerfMonitor during the affected April 9-10 window should assume compromise and immediately change all passwords, particularly those stored in browsers, enable multi-factor authentication, and conduct thorough security scans or reinstall their operating systems. Kaspersky published indicators of compromise including malicious file signatures and URLs to aid in detection efforts.

Sources

• https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html

• https://beyondmachines.net/event_details/cpuid-website-compromised-to-distribute-stx-rat-malware-via-cpu-z-and-hwmonitor-y-5-e-q-i

• https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/