A short lived but impactful supply chain style attack has exposed users to malware after attackers compromised CPUID’s official website to distribute trojanized versions of popular hardware monitoring tools. The CPUID breach STX RAT attack highlights growing risks in trusted software distribution channels across the cybertech ecosystem.
The incident occurred between April 9 and April 10, when download links for widely used tools such as CPU Z and HWMonitor were temporarily replaced with malicious URLs. During this window, unsuspecting users downloading software from the official site were redirected to attacker controlled domains hosting infected installers.
CPUID later confirmed the breach, attributing it to the compromise of a secondary feature within its infrastructure that caused the website to intermittently display malicious links. The company clarified that its original signed binaries were not directly altered, but attackers leveraged the distribution mechanism to deliver infected packages.
According to Kaspersky, the malicious downloads were distributed as both ZIP archives and standalone installers. These packages included legitimate signed executables alongside a malicious dynamic link library named CRYPTBASE.dll, enabling attackers to exploit DLL side loading techniques.
Once executed, the malicious component establishes communication with an external server and downloads additional payloads. The malware also performs anti sandbox checks to evade detection before deploying the STX remote access trojan. STX RAT is capable of extensive post exploitation activity, including remote control, in memory execution of payloads, reverse proxy operations, and unauthorized desktop interaction.
Security researchers from eSentire noted that the malware provides attackers with a wide range of capabilities, making it a powerful tool for persistent access and data theft. The attack chain shows similarities to a previous campaign involving trojanized installers of FileZilla, indicating reuse of infrastructure and techniques.
Further analysis revealed that command and control servers and configuration patterns were reused from earlier operations documented by Malwarebytes. This reuse of infrastructure ultimately contributed to the rapid detection of the campaign, suggesting relatively low operational security by the threat actors.
Kaspersky reported more than 150 confirmed victims, primarily individuals, though several organizations across industries including retail, manufacturing, telecommunications, consulting, and agriculture were also affected. The majority of infections were concentrated in Brazil, Russia, and China.
“The trojanized software was distributed both as ZIP archives and as standalone installers for the aforementioned products,” Kaspersky said. “These files contain a legitimate signed executable for the corresponding product and a malicious DLL, which is named ‘CRYPTBASE.dll’ to leverage the DLL side-loading technique.”
The CPUID breach STX RAT attack underscores the increasing sophistication of supply chain threats, where attackers exploit trusted platforms to distribute malware at scale. As reliance on third party software continues to grow, organizations and individuals must prioritize verification of downloads, implement endpoint protection, and monitor for unusual behavior even when using legitimate sources.
This incident serves as a reminder that even reputable software providers can become attack vectors, reinforcing the need for continuous vigilance and layered security strategies in an evolving threat landscape.
