Hackers Hijacked CPUID's Website to Push Trojanized CPU-Z and HWMonitor Installers Loaded with STX Remote Access Trojan

Hackers briefly compromised CPUID's website to replace CPU-Z and HWMonitor download links with trojanized installers that deployed STX RAT via DLL side-loading — affecting over 150 victims globally.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region6 min read
Illustration of a trojanized software supply chain attack showing malicious DLL injection through a compromised hardware monitoring tool installer distributing STX RAT

Illustration of a trojanized software supply chain attack showing malicious DLL injection through a compromised hardware monitoring tool installer distributing STX RAT

A brief but consequential supply chain attack struck CPUID — the developer behind widely-used hardware monitoring utilities CPU-Z, HWMonitor, HWMonitor Pro and PerfMonitor — on 9 April 2026, when unknown threat actors compromised the company's website and replaced legitimate software download links with links to malware-laced installers.

The incident lasted approximately 19 hours, running from 15:00 UTC on April 9 to 10:00 UTC on April 10, before CPUID detected and remediated the compromise. During that window, any enterprise IT administrator, system engineer or end user who downloaded CPU-Z or HWMonitor from the official site received a trojanized installer designed to silently deploy STX RAT — a sophisticated remote access trojan with broad capabilities for persistent system control and data theft.

How the Attack Was Executed

CPUID confirmed via a post on X that the breach stemmed from a compromise of a secondary API feature that caused the main site to intermittently display malicious download links. Critically, the attackers did not tamper with CPUID's original signed executables — a deliberate choice that helped evade detection at the download verification layer.

According to analysis published by Kaspersky, the trojanized files were distributed in two formats: as ZIP archives and as standalone installers. Both variants contained a genuine, legitimately signed CPUID executable alongside a malicious DLL file named CRYPTBASE.dll.

The choice of filename is deliberate and technically significant. By naming the malicious library CRYPTBASE.dll — a legitimate Windows system DLL — the attackers leveraged a well-documented technique called DLL side-loading, in which a trusted application is tricked into loading a malicious library instead of the legitimate system file it would normally call. Because the signed CPUID executable initiates the load, many endpoint detection tools do not flag the process as suspicious at launch.

Once loaded, the malicious DLL performs anti-sandbox checks to determine whether it is running in an analysis environment before proceeding, helping the payload evade automated threat analysis platforms. If the checks pass, the DLL contacts an external server and pulls down additional payloads, ultimately deploying STX RAT on the victim machine.

STX RAT: Capabilities Enterprise Security Teams Should Know

STX RAT is not a basic commodity trojan. Analysis from eSentire describes it as a fully-featured remote access tool with a broad command set, including Hidden Virtual Network Computing (HVNC) — enabling attackers to take full interactive control of the desktop without the user's knowledge; in-memory execution of EXE files, DLLs, PowerShell scripts and shellcode that bypasses disk-based detection; reverse proxy and tunnelling capabilities that allow attackers to use compromised machines as pivot points within enterprise networks; infostealer functionality targeting credential and data harvesting from the infected host; and follow-on payload delivery that allows the RAT to install additional malware after initial compromise.

For enterprise environments, the combination of HVNC and in-memory execution capabilities makes STX RAT particularly dangerous. An attacker with active STX RAT access can move laterally through a network, access internal systems and exfiltrate data — all without leaving standard file-based forensic traces.

Infrastructure Reuse Links to Earlier FileZilla Campaign

One of the most operationally significant findings from Kaspersky's investigation is that the command-and-control (C2) server address and connection configuration used in this attack were reused from a prior campaign — one that used trojanized FileZilla installers hosted on fake sites to deploy the same STX RAT payload, documented by Malwarebytes in early March 2026.

The malicious domains identified in this campaign are cahayailmukreatif.web[.]id, pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev, transitopalermo[.]com and vatrobran[.]hr. Security teams should block these domains immediately at firewall, DNS and proxy levels.

The reuse of the same infrastructure across two separate campaigns is an operational security failure on the threat actor's part — but it also confirms this is not a one-off incident. This actor is running a sustained campaign targeting users of trusted software tools. Kaspersky has confirmed more than 150 victims so far. While most are individuals, confirmed organisational victims span retail, manufacturing, consulting, telecommunications and agriculture sectors. The majority of infections are concentrated in Brazil, Russia and China, though the nature of watering hole attacks means geographic reach is not bounded by targeting intent — any enterprise whose IT staff downloaded the affected tools during the compromise window may be affected.

The Broader Threat: Watering Hole Attacks on Trusted Tooling

This incident is a textbook example of a watering hole attack — a technique in which threat actors compromise a legitimate, trusted website frequented by their intended targets rather than attacking targets directly. For enterprise security operations, watering hole attacks are among the hardest to defend against through user awareness alone, because the compromised site is the one employees have been trained to trust.

The CPUID tools affected — CPU-Z and HWMonitor — are among the most widely deployed hardware diagnostics utilities in enterprise IT environments globally. They are standard toolkit items for system administrators, IT support teams and operations staff. An attacker targeting enterprise IT personnel specifically would find few more efficient vectors than the official download page of a tool those personnel use routinely.

Enterprise security teams in the GCC and globally should treat this incident as a prompt to review several controls. On software download verification: even when downloading from a vendor's official website, file hash verification against a known-good baseline should be standard practice before execution in enterprise environments. CPUID confirmed its original signed files were not modified — hash comparison would have surfaced the discrepancy immediately. On endpoint telemetry for DLL side-loading: detection rules for DLL side-loading — particularly unexpected instances of CRYPTBASE.dll loaded by non-system processes — should be validated in your SIEM and EDR configuration. On network egress monitoring: STX RAT's C2 communication and tunnelling capabilities require outbound network connections, and strict outbound filtering and DNS monitoring remain effective detection layers for post-compromise activity. On incident response readiness: the 19-hour window of the CPUID compromise is short enough that many organisations may not have received threat intelligence alerts in time — ensure your threat intelligence feeds are live and your IR runbooks cover trojanized installer scenarios.

For ongoing GCC-focused threat intelligence coverage, visit MENA CyberWire. For enterprise security tooling analysis relevant to the region, explore Gulf SaaS Review.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.