CPUID Website Hijacked in Supply Chain Attack to Distribute STX RAT Infostealer

Executive Summary

Between April 9 and April 10, 2026, the official website of CPUID, developer of the popular CPU-Z and HWMonitor utilities, was compromised in a sophisticated supply chain attack. For a period of 6 to 19 hours, attackers manipulated a website API to redirect download links to malicious infrastructure. Users downloading the software received trojanized installers bundled with a malicious DLL. This led to the deployment of STX RAT, an information-stealing Remote Access Trojan, via a DLL side-loading technique. The campaign leveraged a watering hole attack methodology and reused command-and-control (C2) infrastructure from a previous campaign, which aided in its discovery. Security researchers at Kaspersky identified over 150 victims globally, highlighting the significant risk of supply chain attacks against trusted software vendors.

Threat Overview

The attack was a classic watering hole incident where a trusted website, cpuid.com, was used to distribute malware. Instead of modifying the legitimate, signed executables, the attackers compromised a "secondary feature (basically a side API)" on the CPUID website. This API was responsible for providing download links to users. The attackers altered the API's response to point to attacker-controlled infrastructure, including Cloudflare R2 storage and malicious domains. Users who clicked the official download buttons were unknowingly redirected to download a malicious software package. The package appeared legitimate but contained a hidden malicious component designed to initiate an infection upon execution.

Technical Analysis

The infection chain was multi-staged and designed for stealth. The attackers used DLL side-loading, a technique where a legitimate application is tricked into loading a malicious DLL file.

1. Initial Vector: The user downloads a trojanized installer for CPU-Z or HWMonitor from the compromised cpuid.com site.
2. Execution: The installer package contains the legitimate, signed 64-bit executable for the utility and a malicious DLL named CRYPTBASE.dll placed in the same directory.
3. Side-Loading: When the user runs the legitimate executable (e.g., cpu-z_x64.exe), the Windows loader searches for CRYPTBASE.dll in the application's directory first. It finds and loads the malicious version instead of the legitimate system DLL located in System32. This is an example of T1574.002 - Hijack Execution Flow: DLL Side-Loading.
4. Infection Chain: The malicious CRYPTBASE.dll initiates a multi-stage, in-memory infection process to evade detection by antivirus products. This likely involves process hollowing or other in-memory injection techniques.
5. Payload Deployment: The final payload, STX RAT, is loaded into memory. STX RAT is an infostealer with capabilities to harvest sensitive data, including:
   • Browser credentials and cookies
   • Cryptocurrency wallets
   • FTP client credentials (e.g., FileZilla)

The attackers made operational security mistakes by reusing C2 infrastructure and infection chains from a March 2026 campaign that distributed fake FileZilla installers, which allowed researchers to connect the activities and identify the threat more quickly.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application: The attackers compromised a web API on the public-facing CPUID website.
• T1588.002 - Obtain Capabilities: Tool: The attackers trojanized legitimate software tools (CPU-Z, HWMonitor) for distribution.
• T1574.002 - Hijack Execution Flow: DLL Side-Loading: The core technique used to execute the initial malicious code via CRYPTBASE.dll.
• T1055 - Process Injection: The in-memory infection chain likely uses a form of process injection to run the final payload.
• T1566.002 - Phishing: Spearphishing Link: While not spearphishing, the compromised links on a trusted site serve a similar function.
• T1105 - Ingress Tool Transfer: The trojanized installer is downloaded to the victim's machine.
• T1543.003 - Create or Modify System Process: Windows Service: RATs like STX often establish persistence by creating a malicious service.

Impact Assessment

The attack had a global reach, with Kaspersky identifying over 150 victims. The majority of infections were located in Brazil, Russia, and China. While most victims were individuals, the attack also impacted organizations across various sectors, including retail, manufacturing, consulting, telecommunications, and agriculture. The primary impact is data theft, which can lead to financial loss, account takeovers, and further intrusions into personal or corporate networks. The compromise of a trusted software vendor like CPUID erodes user trust and demonstrates the systemic risk posed by supply chain vulnerabilities.

IOCs

Cyber Observables for Detection

Detection & Response

Security teams should proactively hunt for signs of this compromise.

1. Network Log Analysis: Review firewall, DNS, and web proxy logs for any connections to the IOC domains listed above, particularly between April 9 and April 10, 2026.
2. Endpoint Detection: Use EDR solutions to search for instances of CRYPTBASE.dll located outside of the legitimate C:\Windows\System32 directory. Specifically, look for this DLL in folders containing cpu-z.exe or hwmonitor.exe.
3. Process Monitoring: Hunt for executions of cpu-z_x64.exe or hwmonitor_x64.exe that spawn suspicious child processes or make network connections to non-CPUID domains. This can be achieved using D3-PA: Process Analysis.
4. File Hashing: If you have downloaded CPU-Z or HWMonitor during the incident window, compare the file hashes of the installers and executables against known good versions from a trusted repository. This aligns with D3-FH: File Hashing.

Mitigation

Organizations and individuals should take the following steps to mitigate this and similar threats:

1. Verify Software Integrity: Whenever possible, verify the digital signature of downloaded software before execution. Although the legitimate executables in this attack were signed, the presence of an unsigned malicious DLL in the package is a major red flag.
2. Use Application Control: Implement application control solutions, such as Windows Defender Application Control, to restrict the execution of unauthorized or unsigned DLLs. This corresponds to D3-EAL: Executable Allowlisting.
3. Network Egress Filtering: Block outbound traffic to known malicious domains and consider restricting connections to unusual TLDs or newly registered domains from non-browser processes. This is a form of D3-OTF: Outbound Traffic Filtering.
4. Remove and Reinstall: If you downloaded CPU-Z or HWMonitor between April 9 and April 10, 2026, assume compromise. Remove the software, run a full antivirus scan, and then reinstall a fresh version downloaded after the incident was resolved.