CPUID Website Breached — Trojanized CPU-Z and HWMonitor Downloads Delivered STX RAT for Six Hours

Introduction

The official CPUID website (cpuid.com) was compromised between April 9 and April 10, 2026, and used to deliver trojanized versions of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor 2 to unsuspecting visitors. The malicious downloads installed STX RAT, a sophisticated remote access trojan with extensive credential-stealing capabilities. The breach lasted approximately six hours before it was discovered and remediated.

What Happened

Attackers breached a secondary API endpoint on CPUID's infrastructure, which allowed them to hijack the download delivery mechanism on the website. Rather than tampering with the original signed binaries or the build pipeline, the attackers manipulated download links to randomly redirect visitors to trojanized installers hosted on attacker-controlled infrastructure, including Cloudflare R2 storage buckets.

The malicious packages were distributed as ZIP archives or standalone installers containing the legitimate, signed CPUID executables alongside a rogue cryptbase.dll. When users launched the application, Windows automatically loaded the malicious DLL from the application directory before checking the system path — a classic DLL sideloading attack. This kicked off a five-stage, in-memory unpacking chain using reflective PE loading, XOR decryption, and layered bitwise transformations, ultimately deploying the STX RAT payload.

STX RAT provides attackers with Hidden VNC for remote desktop control, credential and session cookie harvesting from browsers and FTP clients, and the ability to execute PowerShell commands and shellcode on the compromised host. Its command-and-control channel uses X25519 key exchange with ChaCha20-Poly1305 encryption over TCP, communicating with the domain welcome.supp0v3.com.

Why It Matters

CPU-Z and HWMonitor are among the most widely used hardware diagnostics tools in the world — downloaded by system administrators, PC builders, overclockers, and IT professionals every day. A watering hole attack on the official distribution site is particularly effective because the software is typically downloaded with elevated trust. Users don't expect to get malware from the vendor's own website. The DLL sideloading technique also means the legitimate executable retains its valid digital signature, so traditional "is this signed?" checks wouldn't catch it. Any organization whose staff downloaded CPUID tools during the six-hour window needs to treat those machines as compromised.

Who Is Affected

  • Anyone who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor 2 from cpuid.com between approximately April 9 15:00 UTC and April 10 10:00 UTC
  • IT professionals and system administrators who routinely use these tools for hardware diagnostics
  • Organizations that allow direct downloads of utility software without centralized software distribution controls

How to Protect Yourself

1. Check if you downloaded CPUID software during the attack window

If you downloaded any CPUID tool between April 9-10, verify the SHA-256 hash of your installer against the official hashes published by CPUID after remediation.

# Windows: check file hash
Get-FileHash -Algorithm SHA256 "C:\path\to\cpu-z_installer.exe"

2. Hunt for the malicious DLL on your systems

The trojanized packages drop a rogue cryptbase.dll in the application directory. A legitimate cryptbase.dll should only exist in System32:

# Find cryptbase.dll outside of System32
Get-ChildItem -Path C:\ -Filter "cryptbase.dll" -Recurse -ErrorAction SilentlyContinue |
  Where-Object { $_.DirectoryName -notlike "*System32*" -and $_.DirectoryName -notlike "*SysWOW64*" }

If found in any application directory, the machine is compromised.

# Linux (if tools were run via Wine or similar)
find / -name "cryptbase.dll" ! -path "*/system32/*" 2>/dev/null

3. Block the known C2 infrastructure

Add these to your firewall, DNS sinkhole, or threat intelligence platform:

  • Domain: welcome.supp0v3.com
  • Check the published IoC lists from Cyderes and Kaspersky for additional IPs and URLs

4. Rotate credentials on affected machines

STX RAT harvests browser-stored passwords, session cookies, and FTP credentials. If a machine is confirmed compromised:

  • Reset all passwords stored in browsers
  • Invalidate active sessions for cloud services, email, and admin panels
  • Rotate any API keys or tokens accessible from the machine

5. Redownload CPUID tools from the remediated site

CPUID has confirmed the breach is fixed. Download fresh copies and verify hashes before deploying.

Source

CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads — The Hacker News