For a brief period in April, the official CPUID website (cpuid[.]com) – home to widely used hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro and PerfMonitor – was compromised and used to distribute a remote access trojan. Users who believed they were downloading legitimate utilities instead received trojanized installers delivering the STX RAT malware.
CPUID website compromise and fake CPU-Z / HWMonitor downloads
According to CPUID and multiple security vendors, the incident occurred between approximately 9 April 15:00 UTC and 10 April 10:00 UTC. During this window, official download links for CPU-Z and HWMonitor on the CPUID site intermittently redirected visitors to attacker‑controlled infrastructure hosting malicious installers.
CPUID stated via its official X (Twitter) account that the breach was linked to a compromise of a secondary API function. A vulnerability in this auxiliary component allowed attackers to inject malicious download URLs at random into the main site. Importantly, CPUID reports that its original signed binaries distributed through other channels were not altered, underscoring that the attack focused on web delivery, not the build pipeline itself.
This approach is a textbook example of a watering‑hole attack: compromising a trusted, high‑traffic site frequented by a specific audience (in this case, power users, gamers and IT professionals) in order to silently deliver malware.
Trojanized installers and DLL sideloading attack chain
Research from Kaspersky indicates that attackers distributed fake CPU-Z and HWMonitor installers both as ZIP archives and standalone EXE files. Each package contained the legitimate, correctly signed executable for the tool, accompanied by a malicious library named CRYPTBASE.dll.
This naming is critical. On Windows, many applications search for required DLLs in the same directory as the EXE before loading system copies. By placing a rogue CRYPTBASE.dll next to the authentic CPU-Z or HWMonitor binary, the attackers leveraged DLL sideloading: the trusted application unknowingly loads the attacker’s DLL instead of the real system library, granting the malware the same trust level as the legitimate process.
Before deploying its main payload, the malicious DLL performs several anti‑sandbox and anti‑analysis checks to detect virtualized or research environments. Only if these checks pass does it establish a connection to the attackers’ command‑and‑control (C2) server, retrieve additional modules, and ultimately install the STX RAT remote access trojan on the victim system.
STX RAT malware: remote access, HVNC and post‑exploitation power
Analysis published by eSentire describes STX RAT as a feature‑rich remote access trojan (RAT) that also functions as an information stealer. One of its most notable capabilities is HVNC (Hidden VNC), which allows attackers to control a hidden desktop session on the victim’s machine without visible windows or cursor movement, making activity extremely difficult for users to notice.
Beyond HVNC, STX RAT supports extensive post‑exploitation functionality: in‑memory execution of EXE, DLL and PowerShell payloads, shellcode injection, creation of reverse proxies and tunnels, file and credential theft, and interactive remote desktop control. Such capabilities enable attackers to perform lateral movement, data exfiltration, and deployment of additional malware (including ransomware) once initial access is established.
Infrastructure reuse and links to trojanized FileZilla campaigns
Researchers noted that this campaign reused the same C2 domains and connection configurations previously observed in attacks leveraging fake FileZilla installers. In those earlier cases, trojanized FileZilla distributions hosted on phishing sites also installed STX RAT, activity documented by Malwarebytes and others.
Kaspersky assesses this infrastructure reuse as a major operational security mistake by the attackers. By repeating the same infection chain and C2 domains, they made it significantly easier for defenders to correlate events, rapidly detect the CPUID watering‑hole attack, and block malicious traffic at the network level.
Incident scale, affected regions and victim profile
Kaspersky reports identifying more than 150 compromised systems linked to this incident. Most victims appear to be individual users, but impacted organizations span retail, manufacturing, consulting, telecommunications and agriculture sectors.
In terms of geography, infections were concentrated in Brazil, Russia and China, though the actual number of affected users is likely higher. The short exposure window, combined with the fact that many users do not regularly verify file integrity or digital signatures, means some infections may remain undetected.
Security lessons and protection against trojanized CPU-Z downloads
Compromises of official software sites and delivery channels are particularly dangerous because they undermine basic trust assumptions. Users typically view a download from an “official” domain as inherently safe, which is why such platforms are increasingly targeted in software supply‑chain and watering‑hole attacks.
To reduce the risk of infection from trojanized installers and similar CPU-Z malware scenarios, the following practices are recommended:
- Download software only from official sites or verified mirrors, and avoid third‑party aggregators, warez portals or untrusted forums.
- Verify digital signatures of installers and, where provided, check cryptographic hashes (e.g., SHA‑256) against values published by the vendor.
- Deploy modern endpoint protection (EDR/NGAV) capable of detecting DLL sideloading, in‑memory execution and anomalous outbound connections.
- Apply the principle of least privilege: run new tools without administrative rights whenever possible and restrict software installation rights.
- Use application control or allow‑listing to limit which executables and DLLs can run in critical environments.
- Keep operating systems and security tools fully patched and up to date, and monitor logs for uncommon process‑DLL combinations and unusual network destinations.
The CPUID incident illustrates that even long‑trusted utilities like CPU-Z and HWMonitor can be abused as delivery vehicles for sophisticated threats such as STX RAT. Relying on brand reputation alone is no longer sufficient; organizations and individual users alike need to combine source verification, cryptographic checks and behavior‑based monitoring to catch malicious tampering early. Strengthening download processes, tightening endpoint defenses and raising security awareness around “free” utilities are essential steps in reducing exposure to future watering‑hole and supply‑chain attacks.
