{"id":111,"date":"2026-04-13T08:00:00","date_gmt":"2026-04-13T08:00:00","guid":{"rendered":"https:\/\/thecybersecurity.network\/blog\/cpuid-supply-chain-attack-stx-rat-cpu-z-hwmonitor\/"},"modified":"2026-04-18T16:44:47","modified_gmt":"2026-04-18T16:44:47","slug":"cpuid-supply-chain-attack-stx-rat-cpu-z-hwmonitor","status":"publish","type":"post","link":"https:\/\/thecybersecurity.network\/blog\/cpuid-supply-chain-attack-stx-rat-cpu-z-hwmonitor\/","title":{"rendered":"CPUID Supply Chain Attack: STX RAT Delivered via Trojanized CPU-Z and HWMonitor Downloads"},"content":{"rendered":"\n<p>Between <strong>April 9, 15:00 UTC and April 10, 10:00 UTC<\/strong> \u2014 a window of just 19 hours \u2014 unknown threat actors compromised a side API on <strong>cpuid.com<\/strong>, the official home of popular hardware monitoring tools CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. The attackers silently replaced legitimate download links with pointers to malicious executables, deploying a sophisticated remote access trojan called <strong>STX RAT<\/strong> to unsuspecting users who downloaded what they believed were clean, trusted utilities.<\/p>\n\n\n\n<p>This was not a compromise of the signed original files \u2014 CPUID\u2019s binaries remained intact. Instead, attackers targeted the distribution chain itself, poisoning the download URLs that millions of users rely on. It is a textbook supply chain attack: trust the source, corrupt the delivery.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Happened: The Breach Timeline<\/h2>\n\n\n\n<p>The attack window lasted approximately <strong>19 hours<\/strong>. Here is what transpired:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>April 9, ~15:00 UTC<\/strong> \u2014 Attackers compromise a secondary API used by cpuid.com to serve download links<\/li><li><strong>April 9-10<\/strong> \u2014 Download links for CPU-Z and HWMonitor silently redirect to attacker-controlled Cloudflare R2 storage serving malicious executables<\/li><li><strong>April 10, morning<\/strong> \u2014 Reddit users begin reporting suspicious downloads; the malicious file (<code>HWiNFO_Monitor_Setup<\/code>) is flagged due to a Russian-language Inno Setup installer<\/li><li><strong>April 10, ~10:00 UTC<\/strong> \u2014 CPUID detects the breach and restores clean download links<\/li><li><strong>April 10 onwards<\/strong> \u2014 Kaspersky, eSentire, vxunderground, and Breakglass Intelligence publish analyses<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>A secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links. Our signed original files were not compromised. \u2014 CPUID Statement<\/p><\/blockquote>\n\n\n\n<p>Notably, the main developer was on holiday when the attack occurred \u2014 a detail that may have delayed detection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How the Attack Worked: Technical Breakdown<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 1 \u2014 Poisoned Downloads<\/h3>\n\n\n\n<p>The malicious packages were distributed as ZIP archives and standalone installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. Each package contained two components:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A <strong>legitimate, digitally signed<\/strong> executable for the real software (to avoid suspicion)<\/li><li>A malicious DLL named <strong><code>CRYPTBASE.dll<\/code><\/strong> planted in the same directory<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 2 \u2014 DLL Sideloading<\/h3>\n\n\n\n<p>When the user launches the signed executable, Windows automatically loads <code>CRYPTBASE.dll<\/code> from the application directory before searching system paths \u2014 a technique known as <strong>DLL sideloading<\/strong>. The malicious DLL is loaded with the same trust level as the legitimate application.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>This malware is deeply trojanized, performs file masquerading, is multi-staged, operates almost entirely in-memory, and proxies NTDLL functionality from a .NET assembly. \u2014 vxunderground<\/p><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 3 \u2014 Anti-Sandbox Evasion<\/h3>\n\n\n\n<p>Before establishing C2 communication, <code>CRYPTBASE.dll<\/code> performs a series of <strong>anti-sandbox checks<\/strong>. If it detects a sandboxed or analysis environment, it stops execution silently \u2014 frustrating automated malware analysis and delaying detection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 4 \u2014 C2 Connection and STX RAT Deployment<\/h3>\n\n\n\n<p>Once anti-sandbox checks pass, the DLL connects to the C2 server at <strong>95.216.51[.]236<\/strong> and downloads the final payload: <strong>STX RAT<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is STX RAT?<\/h2>\n\n\n\n<p>STX RAT is a sophisticated remote access trojan first documented by eSentire in early 2026. Its capabilities include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>HVNC (Hidden Virtual Network Computing)<\/strong> \u2014 full remote desktop control invisible to the victim<\/li><li><strong>In-memory execution<\/strong> \u2014 runs EXE, DLL, PowerShell and shellcode entirely in memory to evade disk-based detection<\/li><li><strong>Reverse proxy and tunneling<\/strong> \u2014 routes attacker traffic through the victim machine<\/li><li><strong>Infostealer module<\/strong> \u2014 harvests credentials, browser data, cookies, and saved passwords<\/li><li><strong>Broad command set<\/strong> \u2014 file operations, process management, keylogging, screenshot capture<\/li><li><strong>Follow-on payload execution<\/strong> \u2014 downloads and runs additional malware stages<\/li><\/ul>\n\n\n\n<p>The C2 address (<strong>95.216.51[.]236<\/strong>) was previously seen in a March 2026 campaign using trojanized FileZilla installers \u2014 this infrastructure reuse enabled attribution of both campaigns to the same threat actor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Actor Profile<\/h2>\n\n\n\n<p>Breakglass Intelligence assessed this as part of a <strong>10-month campaign<\/strong> starting July 2025. The threat actor is assessed to be:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Russian-speaking<\/strong> \u2014 linguistic artifacts in the installer confirm this<\/li><li><strong>Financially motivated or an Initial Access Broker (IAB)<\/strong> \u2014 selling compromised access to other threat actors<\/li><li><strong>Operationally immature<\/strong> \u2014 C2 and domain reuse from previous campaigns was \u201cthe gravest mistake\u201d enabling rapid detection, per Kaspersky<\/li><\/ul>\n\n\n\n<p>Despite OPSEC failures, the technical sophistication of STX RAT \u2014 in-memory execution, HVNC, NTDLL proxying \u2014 represents advanced tradecraft.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Victims and Impact<\/h2>\n\n\n\n<p>Kaspersky identified <strong>more than 150 confirmed victims<\/strong> from this campaign:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Primary victims<\/strong>: Individual users \u2014 PC enthusiasts, overclockers, and tech users who regularly use hardware monitoring tools<\/li><li><strong>Organizational victims<\/strong>: Companies in retail, manufacturing, consulting, telecommunications, and agriculture<\/li><li><strong>Geographic distribution<\/strong>: Primarily Brazil, Russia, and China<\/li><\/ul>\n\n\n\n<p>The true number may be higher given the 19-hour window and the millions of users who rely on CPU-Z and HWMonitor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Malicious Files<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>File named <code>CRYPTBASE.dll<\/code> in the CPU-Z or HWMonitor installation directory<\/li><li>File named <code>HWiNFO_Monitor_Setup<\/code> downloaded from cpuid.com (not from the legitimate HWiNFO developer)<\/li><li>ZIP archives or installers for CPUID tools downloaded between April 9-10, 2026<\/li><li>VirusTotal hash: <code>eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46<\/code><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network IOCs<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>C2 server: <strong>95.216.51[.]236<\/strong><\/li><li>Outbound connections from CPU-Z or HWMonitor processes (these tools should never make network connections)<\/li><li>Connections to Cloudflare R2 storage from installer processes<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Behavioral IOCs<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>CPU-Z or HWMonitor spawning child processes<\/li><li>HVNC activity \u2014 hidden desktop sessions<\/li><li>In-memory PE injection from legitimate signed processes<\/li><li>NTDLL proxy calls from .NET assemblies<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Immediate Actions for Affected Users<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li><strong>Check your download date<\/strong> \u2014 If you downloaded CPU-Z or HWMonitor between April 9, 15:00 UTC and April 10, 10:00 UTC, assume you are compromised<\/li><li><strong>Scan immediately<\/strong> \u2014 Run a full scan with an updated AV. Check VirusTotal for the hash of your installer<\/li><li><strong>Check for CRYPTBASE.dll<\/strong> \u2014 Look in your CPU-Z and HWMonitor installation directories. Its presence confirms compromise<\/li><li><strong>Rotate credentials<\/strong> \u2014 Change all passwords, revoke browser-saved credentials, rotate API keys and SSH keys<\/li><li><strong>Check for persistence<\/strong> \u2014 Look for new scheduled tasks, registry run keys, and startup entries created around April 9-10<\/li><li><strong>Re-download from official source<\/strong> \u2014 Download clean versions from <a href=\"https:\/\/www.cpuid.com\" rel=\"noopener noreferrer\">cpuid.com<\/a> and verify hashes<\/li><li><strong>Monitor for HVNC<\/strong> \u2014 Check for hidden desktop sessions and unusual RDP or VNC activity<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">The Broader Pattern: Software Distribution as an Attack Vector<\/h2>\n\n\n\n<p>The CPUID attack is the latest in an accelerating campaign targeting trusted software distribution channels. This same threat actor previously targeted:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>7-Zip<\/strong> (February 2026) \u2014 fake downloads turning home PCs into proxy nodes<\/li><li><strong>FileZilla<\/strong> (March 2026) \u2014 fake download site distributing STX RAT<\/li><li><strong>CPUID<\/strong> (April 2026) \u2014 compromised official site API<\/li><\/ul>\n\n\n\n<p>The pattern is clear: attackers are targeting the moment of software download \u2014 when users seek trusted tools and their guard is down. Unlike phishing that requires deception, supply chain attacks exploit <em>legitimate trust<\/em> in known software vendors.<\/p>\n\n\n\n<p>For defenders, <strong>hash verification before execution<\/strong> is no longer optional for software obtained from the internet \u2014 even from official vendor sites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">References<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/securelist.com\/tr\/cpu-z\/119365\/\" rel=\"noopener noreferrer\" target=\"_blank\">Kaspersky \u2014 CPUID Supply Chain Analysis<\/a><\/li><li><a href=\"https:\/\/www.esentire.com\/blog\/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities\" rel=\"noopener noreferrer\" target=\"_blank\">eSentire \u2014 STX RAT Technical Analysis<\/a><\/li><li><a href=\"https:\/\/intel.breakglass.tech\/post\/cpuid-supply-chain-cryptbase-filezilla-c2-infrastructure\" rel=\"noopener noreferrer\" target=\"_blank\">Breakglass Intelligence \u2014 Campaign Attribution<\/a><\/li><li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor\/\" rel=\"noopener noreferrer\" target=\"_blank\">BleepingComputer \u2014 CPUID Breach Report<\/a><\/li><li><a href=\"https:\/\/thehackernews.com\/2026\/04\/cpuid-breach-distributes-stx-rat-via.html\" rel=\"noopener noreferrer\" target=\"_blank\">The Hacker News \u2014 CPUID STX RAT Coverage<\/a><\/li><\/ul>\n\n\n\n<p><em>Written by Tarang Parmar (CEH) \u2014 TheCyberSecurity.Network. Read time: 9 min. Last updated: April 13, 2026.<\/em><\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>Threat actors compromised a side API on cpuid.com and replaced download links for CPU-Z and HWMonitor with malicious executables deploying STX RAT \u2014 a sophisticated remote access trojan with HVNC and infostealer capabilities. The breach lasted 19 hours and affected users in retail, manufacturing and telecoms across Brazil, Russia and China. Here is the full technical breakdown.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44],"tags":[39,38,36,20,40],"class_list":["post-111","post","type-post","status-publish","format-standard","hentry","category-supply-chain","tag-cybersecurity","tag-high","tag-malware","tag-supplychain","tag-threatintel"],"_links":{"self":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/comments?post=111"}],"version-history":[{"count":2,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/111\/revisions"}],"predecessor-version":[{"id":113,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/111\/revisions\/113"}],"wp:attachment":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/media?parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/categories?post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/tags?post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}