CPUID Website Hack: STX RAT Malware Distributed via Popular Hardware Monitoring Tools
Cybersecurity researchers have uncovered a sophisticated breach involving a CPUID website hack that weaponized legitimate download links to distribute a dangerous Remote Access Trojan (RAT).
Between 15:00 UTC on April 9 and approximately 10:00 UTC on April 10, attackers exploited a secondary API on the CPUID site.
During this window, users seeking essential hardware utilities were instead served malicious installers, effectively turning a trusted source of system information into a delivery vehicle for malware.
CPUID has since confirmed the breach, patched the vulnerability, and restored the integrity of its download pipeline.
The Anatomy of the Attack: How STX RAT Infiltrated Systems
The operation was meticulously engineered to bypass standard security checks. The malicious files were hosted on Cloudflare R2 storage, masking the origin of the threat.
Instead of the expected tools, users received a fraudulent HWiNFO installer named HWiNFO_Monitor_Setup, wrapped in a Russian Inno Setup installer.
The true danger lay in a technique known as DLL sideloading. The package contained a legitimately signed executable paired with a malicious library called CRYPTBASE.dll.
Once executed, this DLL performed stealthy anti-sandbox checks to ensure it wasn’t being analyzed by researchers before connecting to a command-and-control (C2) server.
The final payload was the STX RAT, an info-stealer capable of operating almost entirely within the system’s memory to evade traditional antivirus detection.
Affected Software Versions
Users should check their installation history for the following specific versions downloaded during the breach window:
- CPU-Z version 2.19
- HWMonitor Pro version 1.57
- HWMonitor version 1.63
- PerfMonitor version 2.04
If you downloaded these specific versions during the identified timeframe, was your antivirus software able to flag the installation, or did it slide through undetected?
Global Impact and Threat Actor Profiles
Data from Kaspersky suggests that more than 150 users were compromised. The victims spanned critical industries, including telecommunications, manufacturing, retail, and agriculture.
The attack primarily targeted users in China, Russia, and Brazil. On VirusTotal, the malicious ZIP file triggered alarms across 20 different antivirus engines, with detections labeling it as the Tedy or Artemis Trojan.
Independent verification by Igor’s Labs and vxunderground revealed a disturbing pattern. The C2 infrastructure used in this attack matches a March campaign that targeted FileZilla users.
This overlap suggests a singular, persistent threat actor is targeting developers and hardware enthusiasts by compromising the very tools they trust most.
Immediate Steps for Compromised Users
If you accessed any of the aforementioned tools between April 9 (15:00 UTC) and April 10 (10:00 UTC), your system should be considered compromised.
It is strongly recommended that you review the indicators of compromise (IoCs) provided by Kaspersky to identify malicious DLLs or unauthorized network connections.
CPUID has clarified that their original signed binaries were never modified and direct download URLs remained intact; only the API-driven links were tampered with.
Do you believe that the rise of “trusted” software breaches makes it impossible to safely download utilities from the web today?
For those seeking more details on the timeline, the original report on the CPUID website hack via gHacks provides a comprehensive breakdown of the incident.
Understanding the Risks of Supply Chain Attacks
The CPUID incident is a textbook example of a supply chain attack. In these scenarios, attackers do not target the victim directly but instead compromise a third-party vendor or a piece of software that the victim already trusts.
By inserting malware into a legitimate update or download stream, hackers bypass the “perimeter” of a user’s security mindset. We trust the official website, so we trust the file.
To protect yourself from similar future breaches, always verify the digital signature of an executable before running it. While the attackers in the CPUID case used a signed executable to hide their DLL, checking the publisher’s certificate can still provide a layer of defense.
Get-FileHash command to compare the checksum of a downloaded file against the one provided by the developer on a separate, secure channel.Frequently Asked Questions
- What happened during the CPUID website hack?
- Hackers compromised a secondary API on the CPUID website, replacing legitimate installers for tools like CPU-Z and HWMonitor with malicious links that delivered the STX RAT trojan.
- Which software versions were affected by the CPUID malware attack?
- The affected versions were CPU-Z v2.19, HWMonitor Pro v1.57, HWMonitor v1.63, and PerfMonitor v2.04.
- How did the CPUID website hack deliver the malware?
- The attackers used Cloudflare R2 storage to host a fake HWiNFO installer that employed DLL sideloading via a malicious file named CRYPTBASE.dll to execute the STX RAT payload.
- Am I safe if I downloaded CPU-Z after the CPUID website hack was fixed?
- Yes. CPUID has confirmed the compromised API is fixed and all current downloads on their official site are clean and safe.
- What should I do if I fell victim to the CPUID malware?
- Users who downloaded the affected tools between April 9 and April 10 UTC should treat their systems as compromised and check for indicators of compromise (IoCs) published by Kaspersky.
Stay vigilant and keep your systems updated. Share this alert with your fellow tech enthusiasts to ensure no one remains unknowingly infected. Join the conversation in the comments below—have you encountered similar issues with hardware utilities?
Discover more from Archyworldys
Subscribe to get the latest posts sent to your email.
