CPUID Supply Chain Attack: STX RAT Malware Distributed via Trojanized CPU-Z and HWMonitor Downloads

Between April 9 and April 10, 2026, the official website of CPUID, the developer of widely used system utilities HWMonitor and CPU-Z, was compromised through a supply chain attack. Attackers gained access to a secondary API, allowing them to alter download links on the official site for approximately six hours. During this window, users attempting to download HWMonitor, CPU-Z, and related tools were redirected to attacker-controlled Cloudflare R2 storage, where they received trojanized installers. These installers contained a malicious cryptbase.dll that, when executed alongside the legitimate application, initiated a sophisticated, five-stage in-memory attack chain culminating in the deployment of STX RAT, a remote access trojan with infostealer capabilities. The attack targeted a global user base, including IT professionals, system administrators, OEM vendors, and organizations in sectors such as retail, manufacturing, consulting, telecommunications, and agriculture, with confirmed infections primarily in Brazil, Russia, and China. CPUID confirmed the breach, stating that the original signed binaries were not compromised and that remediation was completed within hours. The incident highlights the significant risks posed by supply chain attacks on trusted software distribution channels and the potential for widespread credential theft and persistent access within enterprise environments. All technical details, affected versions, and mitigation steps are detailed below, with evidence and references from primary, independently verified sources.

The attack on CPUID represents a sophisticated supply chain compromise, leveraging multiple advanced techniques to maximize infection potential and evade detection. The attackers exploited a vulnerability in a secondary API on the CPUID infrastructure, enabling them to modify download links on the official website. For approximately six hours, users downloading HWMonitor, CPU-Z, and related tools were redirected to attacker-controlled Cloudflare R2 storage, where they received trojanized installers. The attack specifically targeted the 64-bit version of HWMonitor and affected versions of CPU-Z, HWMonitor Pro, and PerfMonitor.

The trojanized installer included a malicious cryptbase.dll placed alongside the legitimate application executable (HWMonitor_x64.exe). This technique, known as DLL sideloading, exploits the Windows DLL search order to load the attacker's DLL instead of the legitimate system library. Upon execution, the malicious DLL initiated a five-stage in-memory unpacking chain. This process involved reflective PE (Portable Executable) loading, XOR decryption, and layered bitwise transformations, ensuring that no intermediate payloads were written to disk. This approach significantly hindered forensic recovery and allowed the malware to evade signature-based detection mechanisms.

The final payload delivered by this chain was STX RAT, a remote access trojan with extensive infostealer capabilities. STX RAT is capable of harvesting browser credentials (notably targeting Google Chrome via the IElevation COM interface), session cookies (which can bypass multi-factor authentication), crypto wallet keys, password manager data, VPN and FTP credentials, and other sensitive information. The malware established command and control (C2) communication with the domain welcome[.]supp0v3[.]com, transmitting JSON-formatted victim metadata for campaign tracking and victim profiling. Multiple campaign tags and referrer fields were identified in the C2 callback metadata, indicating a segmented operation targeting different software and user groups.

Technical analysis confirmed that the attack chain executed entirely in memory, with no disk artifacts beyond the initial DLL, making detection and remediation challenging. The use of anti-sandbox and anti-analysis techniques further complicated detection efforts. The attack was detected by eSentire YARA rules and confirmed by Kaspersky researchers, who established the compromise window from April 9, 15:00 UTC, to April 10, 10:00 UTC.

The infrastructure used in this attack, specifically the domain supp0v3-dot-com, was previously associated with a March 2026 malware campaign, suggesting ongoing operations by the same or closely related threat actors. However, no explicit attribution to a named group has been made as of April 10, 2026.

The attack had significant sector-specific implications. HWMonitor and CPU-Z are standard tools for IT professionals, system administrators, data center engineers, OEM hardware vendors, security researchers, and corporate IT departments. The privileged nature of this user base increased the risk of credential theft, lateral movement, and persistent access within enterprise networks. Confirmed organizational victims included entities in retail, manufacturing, consulting, telecommunications, and agriculture, with most infections reported in Brazil, Russia, and China. Given the global popularity of CPU-Z and HWMonitor, with tens of millions of users, the potential exposure surface was extraordinary.

Indicators of compromise (IOCs) associated with this attack include the SHA256 hashes of the trojanized installer (HWMonitor_x64.exe: 02db6764d1f13b837b0a525e5931bdbc67e7a2a4d071e849c7e087255d4a2d5b), the malicious cryptbase.dll (a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286), the STX RAT payload (52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6), and the C2 domain (welcome[.]supp0v3[.]com).

All technical claims and attack chain details are supported by primary, independently verified sources, including Cyderes, BleepingComputer, and Tom's Hardware. The attack methods have been mapped to MITRE ATT&CK techniques, with confidence levels assessed based on the quality and consistency of the evidence.

The following CPUID products and versions were confirmed as affected during the compromise window:

CPU-Z version 2.19, HWMonitor Pro version 1.57, HWMonitor version 1.63, and PerfMonitor version 2.04 were all subject to malicious download link redirection. The attack specifically targeted the 64-bit version of HWMonitor via DLL sideloading. The original signed binaries remained uncompromised and were still accessible via direct URLs, but the main website download links were poisoned.

The verified timeline of events is as follows: On April 9, 2026, Reddit users reported suspicious downloads of HWMonitor, prompting community investigation and VirusTotal analysis. At 15:00 UTC on April 9, Kaspersky confirmed the start of the compromise window. Between April 9 and April 10, download links for HWMonitor, CPU-Z, and related tools were redirected to trojanized installers hosted on attacker-controlled Cloudflare R2 storage. At 10:00 UTC on April 10, Kaspersky confirmed the end of the compromise window. During this period, over 150 users downloaded a malicious variant, including organizations in multiple sectors and countries. CPUID publicly acknowledged the breach and confirmed remediation on April 9-10, 2026.

The threat activity observed in this incident demonstrates a high level of sophistication and operational planning. The attackers exploited a supply chain vulnerability in CPUID's infrastructure, leveraging a secondary API to alter download links and distribute trojanized installers. The use of DLL sideloading with a malicious cryptbase.dll enabled the attackers to execute a multi-stage, in-memory attack chain that delivered STX RAT without leaving disk artifacts.

The malware's primary objectives were credential theft and persistent remote access. STX RAT harvested browser credentials, session cookies, crypto wallet keys, password manager data, VPN and FTP credentials, and other sensitive information. The malware communicated with a hardcoded C2 domain, transmitting victim metadata for campaign tracking and profiling. Multiple campaign tags and referrer fields were identified, indicating a segmented operation targeting different software and user groups.

The infrastructure used in this attack overlapped with previous campaigns, suggesting ongoing operations by a persistent threat actor. However, no explicit attribution has been made. The attack targeted a privileged user base, increasing the risk of credential theft, lateral movement, and persistent access within enterprise environments. Confirmed victims included organizations in retail, manufacturing, consulting, telecommunications, and agriculture, with most infections reported in Brazil, Russia, and China.

The attack was detected by eSentire YARA rules and confirmed by Kaspersky researchers. Windows Defender detected the malware in some cases, but the advanced evasion techniques employed by the attackers allowed some infections to persist.

The following mitigation steps are recommended, prioritized by severity:

Critical: Immediately audit all endpoints that downloaded or executed HWMonitor, CPU-Z, HWMonitor Pro, or PerfMonitor installers between April 9, 15:00 UTC, and April 10, 10:00 UTC. Isolate and reimage any systems where the malicious cryptbase.dll or associated IOCs are detected. Reset all credentials, including browser-stored passwords, VPN, FTP, and password manager data, on affected systems.

High: Block network communication to the C2 domain welcome[.]supp0v3[.]com and monitor for any outbound connections to this or related infrastructure. Deploy updated YARA rules and endpoint detection signatures for STX RAT and the associated SHA256 hashes. Review and update supply chain risk management policies to ensure that software downloads are verified via cryptographic signatures and obtained only from trusted, direct sources.

Medium: Conduct organization-wide awareness training regarding the risks of supply chain attacks and the importance of verifying software sources. Review and enhance incident response plans to address supply chain compromise scenarios.

Low: Monitor for future advisories from CPUID and relevant security vendors. Maintain regular backups and ensure that backup systems are isolated from production networks.

All mitigation steps should be implemented in accordance with organizational risk management policies and in consultation with relevant stakeholders.

Cyderes: https://www.cyderes.com/howler-cell/how-cpuids-hwmonitor-supply-chain-was-hijacked-to-deploy-stx-rat (April 10, 2026)

BleepingComputer: https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/ (April 10, 2026)

Tom's Hardware: https://www.tomshardware.com/tech-industry/cyber-security/hwmonitor-and-cpu-z-developer-cpuid-breached-by-unknown-attackers-cyberattack-forced-users-to-download-malware-instead-of-valid-apps-for-approximately-six-hours (April 10, 2026)

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor supply chain risks. Our platform enables continuous monitoring of vendor security posture, automated risk assessments, and actionable insights to support incident response and remediation efforts. For questions regarding this incident or to discuss supply chain risk management strategies, please contact us at ops@rescana.com.

• Active Exploitation Alert