Attackers compromised cpuid.com — the official distribution site for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor 2 — between approximately April 9, 15:00 UTC and April 10, 10:00 UTC. During that ~19-hour window, users who downloaded any CPUID product received a trojanized installer that sideloaded the STX remote access trojan. The site now serves clean builds, but anyone who downloaded software during that window should treat the endpoint as compromised.

What Was Compromised

CPUID attributed the breach to a “secondary feature (basically a side API)” that controlled download link routing on the main website. Attackers gained access to this API and silently swapped the download URLs to point to attacker-controlled Cloudflare R2 buckets. From the user’s perspective the download appeared to originate from cpuid.com — it did not. The legitimate product page UI was intact; only the destination changed.

Affected products:

  • CPU-Z (all variants)
  • HWMonitor and HWMonitor Pro
  • PerfMonitor 2

Delivery Chain

The trojanized installers contained two components: a legitimate, signed CPUID executable and a malicious CRYPTBASE.dll. When the user ran the installer (e.g., HWMonitor_x64.exe), Windows DLL search order loaded the malicious CRYPTBASE.dll from the installer directory rather than the system copy in System32. This is a well-understood DLL sideloading technique — abusing a trusted, signed parent process to load unsigned attacker code without triggering standard AV heuristics.

The malicious DLL was compiled with Zig, an uncommon toolchain choice that reduces detection rates against signature-based tools trained on MSVC or MinGW output. After loading, it performed anti-sandbox checks before proceeding, then executed a multi-stage in-memory unpacking chain that deployed STX RAT entirely without touching disk in recognizable form.

STX RAT Capabilities

STX RAT exposes a broad command set covering:

  • In-memory code execution: EXE, DLL, PowerShell, and raw shellcode — nothing written to disk in the default flow
  • Reverse proxy and tunneling: enables pivoting through compromised hosts into internal networks
  • Desktop interaction: full remote control capability
  • Infostealer functions: credential and session data exfiltration

C2 communications go to welcome[.]supp0v3[.]com. Victim metadata is transmitted as JSON with campaign-tracking fields: four campaign tags (tbs, tbs2, tbs3, snip) and referrer fields (CPZ for CPU-Z victims, monitor3 for HWMonitor). This segmentation suggests the operator is tracking yield across software targets and potentially running parallel operations.

Threat Actor and Prior Campaigns

The C2 address and connection configuration are reused verbatim from a March 2026 campaign that served trojanized FileZilla installers from lookalike domains. OPSEC quality is low — Kaspersky noted the reuse made it possible to detect the watering hole “as soon as it started.” That said, low OPSEC does not mean low impact: at least 150 users downloaded the malicious builds, including organizations in retail, manufacturing, consulting, telecommunications, and agriculture, predominantly in Brazil, Russia, and China. The threat actor remains unattributed.

Who’s Affected

If you or your organization downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor 2 between April 9, 15:00 UTC and April 10, 10:00 UTC, assume the endpoint is compromised. Hardware monitoring tools are common in developer, sysadmin, and IT environments — this is not consumer-only risk.

What to Do Now

Immediate triage:

  1. Check all Windows hosts for CRYPTBASE.dll in any path outside of C:\Windows\System32\. Any hit outside System32 is an immediate indicator of compromise.
  2. Review process creation logs for HWMonitor_x64.exe, cpuz*.exe, or perfmonitor*.exe launching unexpected child processes or PowerShell.
  3. Check DNS/proxy logs and EDR telemetry for connections to welcome[.]supp0v3[.]com or the Cloudflare R2 domains used to host the malicious installers.
  4. If STX RAT ran, assume full credential compromise on that host: rotate all credentials accessible from it, revoke active sessions, and audit lateral movement paths.

Going forward:

  • Enforce hash pinning or signature verification on third-party tool downloads before execution. CPUID does publish SHA-256 hashes for its installers; checking them takes 10 seconds.
  • Consider restricting DLL load order via CWDIllegalInDllSearch registry policy on Windows — this prevents DLL sideloading attacks that rely on the current working directory being searched before System32.
  • Use software deployment tooling (Scoop, Chocolatey, internal mirrors) rather than manual downloads from vendor sites; these add a layer of hash verification automatically.

The clean installers are live at cpuid.com now. Redownload from the official site if you need to reinstall.

References