Home Blog CPUID Supply Chain Attack: STX RAT Delivered via Trojanized CPU-Z and HWMonitor Downloads
Supply Chain

CPUID Supply Chain Attack: STX RAT Delivered via Trojanized CPU-Z and HWMonitor Downloads

tarang.parmar0 CEH Apr 13, 2026 6 min read
#Cybersecurity#High#Malware#SupplyChain#ThreatIntel

Between April 9, 15:00 UTC and April 10, 10:00 UTC — a window of just 19 hours — unknown threat actors compromised a side API on cpuid.com, the official home of popular hardware monitoring tools CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. The attackers silently replaced legitimate download links with pointers to malicious executables, deploying a sophisticated remote access trojan called STX RAT to unsuspecting users who downloaded what they believed were clean, trusted utilities.

This was not a compromise of the signed original files — CPUID’s binaries remained intact. Instead, attackers targeted the distribution chain itself, poisoning the download URLs that millions of users rely on. It is a textbook supply chain attack: trust the source, corrupt the delivery.

What Happened: The Breach Timeline

The attack window lasted approximately 19 hours. Here is what transpired:

  • April 9, ~15:00 UTC — Attackers compromise a secondary API used by cpuid.com to serve download links
  • April 9-10 — Download links for CPU-Z and HWMonitor silently redirect to attacker-controlled Cloudflare R2 storage serving malicious executables
  • April 10, morning — Reddit users begin reporting suspicious downloads; the malicious file (HWiNFO_Monitor_Setup) is flagged due to a Russian-language Inno Setup installer
  • April 10, ~10:00 UTC — CPUID detects the breach and restores clean download links
  • April 10 onwards — Kaspersky, eSentire, vxunderground, and Breakglass Intelligence publish analyses

A secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links. Our signed original files were not compromised. — CPUID Statement

Notably, the main developer was on holiday when the attack occurred — a detail that may have delayed detection.

How the Attack Worked: Technical Breakdown

Stage 1 — Poisoned Downloads

The malicious packages were distributed as ZIP archives and standalone installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. Each package contained two components:

  • A legitimate, digitally signed executable for the real software (to avoid suspicion)
  • A malicious DLL named CRYPTBASE.dll planted in the same directory

Stage 2 — DLL Sideloading

When the user launches the signed executable, Windows automatically loads CRYPTBASE.dll from the application directory before searching system paths — a technique known as DLL sideloading. The malicious DLL is loaded with the same trust level as the legitimate application.

This malware is deeply trojanized, performs file masquerading, is multi-staged, operates almost entirely in-memory, and proxies NTDLL functionality from a .NET assembly. — vxunderground

Stage 3 — Anti-Sandbox Evasion

Before establishing C2 communication, CRYPTBASE.dll performs a series of anti-sandbox checks. If it detects a sandboxed or analysis environment, it stops execution silently — frustrating automated malware analysis and delaying detection.

Stage 4 — C2 Connection and STX RAT Deployment

Once anti-sandbox checks pass, the DLL connects to the C2 server at 95.216.51[.]236 and downloads the final payload: STX RAT.

What is STX RAT?

STX RAT is a sophisticated remote access trojan first documented by eSentire in early 2026. Its capabilities include:

  • HVNC (Hidden Virtual Network Computing) — full remote desktop control invisible to the victim
  • In-memory execution — runs EXE, DLL, PowerShell and shellcode entirely in memory to evade disk-based detection
  • Reverse proxy and tunneling — routes attacker traffic through the victim machine
  • Infostealer module — harvests credentials, browser data, cookies, and saved passwords
  • Broad command set — file operations, process management, keylogging, screenshot capture
  • Follow-on payload execution — downloads and runs additional malware stages

The C2 address (95.216.51[.]236) was previously seen in a March 2026 campaign using trojanized FileZilla installers — this infrastructure reuse enabled attribution of both campaigns to the same threat actor.

Threat Actor Profile

Breakglass Intelligence assessed this as part of a 10-month campaign starting July 2025. The threat actor is assessed to be:

  • Russian-speaking — linguistic artifacts in the installer confirm this
  • Financially motivated or an Initial Access Broker (IAB) — selling compromised access to other threat actors
  • Operationally immature — C2 and domain reuse from previous campaigns was “the gravest mistake” enabling rapid detection, per Kaspersky

Despite OPSEC failures, the technical sophistication of STX RAT — in-memory execution, HVNC, NTDLL proxying — represents advanced tradecraft.

Victims and Impact

Kaspersky identified more than 150 confirmed victims from this campaign:

  • Primary victims: Individual users — PC enthusiasts, overclockers, and tech users who regularly use hardware monitoring tools
  • Organizational victims: Companies in retail, manufacturing, consulting, telecommunications, and agriculture
  • Geographic distribution: Primarily Brazil, Russia, and China

The true number may be higher given the 19-hour window and the millions of users who rely on CPU-Z and HWMonitor.

Indicators of Compromise (IOCs)

Malicious Files

  • File named CRYPTBASE.dll in the CPU-Z or HWMonitor installation directory
  • File named HWiNFO_Monitor_Setup downloaded from cpuid.com (not from the legitimate HWiNFO developer)
  • ZIP archives or installers for CPUID tools downloaded between April 9-10, 2026
  • VirusTotal hash: eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46

Network IOCs

  • C2 server: 95.216.51[.]236
  • Outbound connections from CPU-Z or HWMonitor processes (these tools should never make network connections)
  • Connections to Cloudflare R2 storage from installer processes

Behavioral IOCs

  • CPU-Z or HWMonitor spawning child processes
  • HVNC activity — hidden desktop sessions
  • In-memory PE injection from legitimate signed processes
  • NTDLL proxy calls from .NET assemblies

Immediate Actions for Affected Users

  1. Check your download date — If you downloaded CPU-Z or HWMonitor between April 9, 15:00 UTC and April 10, 10:00 UTC, assume you are compromised
  2. Scan immediately — Run a full scan with an updated AV. Check VirusTotal for the hash of your installer
  3. Check for CRYPTBASE.dll — Look in your CPU-Z and HWMonitor installation directories. Its presence confirms compromise
  4. Rotate credentials — Change all passwords, revoke browser-saved credentials, rotate API keys and SSH keys
  5. Check for persistence — Look for new scheduled tasks, registry run keys, and startup entries created around April 9-10
  6. Re-download from official source — Download clean versions from cpuid.com and verify hashes
  7. Monitor for HVNC — Check for hidden desktop sessions and unusual RDP or VNC activity

The Broader Pattern: Software Distribution as an Attack Vector

The CPUID attack is the latest in an accelerating campaign targeting trusted software distribution channels. This same threat actor previously targeted:

  • 7-Zip (February 2026) — fake downloads turning home PCs into proxy nodes
  • FileZilla (March 2026) — fake download site distributing STX RAT
  • CPUID (April 2026) — compromised official site API

The pattern is clear: attackers are targeting the moment of software download — when users seek trusted tools and their guard is down. Unlike phishing that requires deception, supply chain attacks exploit legitimate trust in known software vendors.

For defenders, hash verification before execution is no longer optional for software obtained from the internet — even from official vendor sites.

References

Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 9 min. Last updated: April 13, 2026.