{"id":569,"date":"2026-04-12T06:05:05","date_gmt":"2026-04-12T06:05:05","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=569"},"modified":"2026-04-12T06:05:05","modified_gmt":"2026-04-12T06:05:05","slug":"cpuid-breach-distributes-stx-rat-via-trojanized-cpu-z-and-hwmonitor-downloads","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=569","title":{"rendered":"CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 12, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhCPq2en6ihCNpYdSr5mWkN43O4Rl3tXYz77I2achAfYSy7Emoaj8fNqmFHLOydg6Ai6DwDKBEKD91ywcO9eT2t-rrFxEiThe79Rsa4dap_UcNZSEdWl9NRGeaMqP_vsbWnKf2mMNHQ86cabK4wlspLPWRHMJ7Gj5guX6ynx57RhsDLbJeSDAdPR_BjGFNU\/s1700-e365\/downloads.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Unknown threat actors compromised CPUID (\u00abcpuid[.]com\u00bb), a website\u00a0that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for less than 24 hours to serve malicious executables for the software and deploy a remote access trojan called STX\u00a0RAT.<\/p>\n<p>The incident lasted from approximately April 9, 15:00 UTC, to about April 10, 10:00\u00a0UTC, with the download URLs for CPU-Z and HWMonitor installers replaced with links to malicious\u00a0websites.<\/p>\n<p>In\u00a0a <a href=\"https:\/\/x.com\/d0cTB\/status\/2042520961824559150\">post<\/a> shared on X, CPUID confirmed the breach, attributing it to a compromise of a \u00absecondary feature (basically a side API)\u00bb that caused the main\u00a0site to randomly display malicious\u00a0links. It&#8217;s worth noting that the attack did not impact its signed original\u00a0files.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>According\u00a0to <a href=\"https:\/\/securelist.com\/tr\/cpu-z\/119365\/\">Kaspersky<\/a>, the names of the rogue websites are as follows\u00a0&#8211;<\/p>\n<ul>\n<li>cahayailmukreatif.web[.]id<\/li>\n<li>pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev<\/li>\n<li>transitopalermo[.]com<\/li>\n<li>vatrobran[.]hr<\/li>\n<\/ul>\n<p>\u00abThe trojanized software was distributed both as ZIP archives and as standalone installers for the aforementioned products,\u00bb the Russian cybersecurity company said. \u00abThese files contain a legitimate signed executable for the corresponding product and a malicious DLL, which is named &#8216;CRYPTBASE.dll&#8217; to leverage the DLL side-loading technique.\u00bb<\/p>\n<p>The malicious DLL, for its part, contacts an external server and executes additional payloads, but not before performing anti-sandbox checks to sidestep detection. The\u00a0end goal of the campaign is to\u00a0deploy <a href=\"https:\/\/www.esentire.com\/blog\/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities\">STX\u00a0RAT<\/a>, a RAT with HVNC and broad infostealer capabilities.<\/p>\n<p>STX RAT \u00abexposes a broad command set for remote control, follow-on payload execution, and post-exploitation actions (e.g., in-memory execution of EXE\/DLL\/PowerShell\/shellcode, reverse proxy\/tunneling, desktop interaction),\u00bb eSentire said in an analysis of the malware last\u00a0week.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The command-and-control (C2) server address and the connection configuration\u00a0have been\u00a0reused from\u00a0a <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/03\/a-fake-filezilla-site-hosts-a-malicious-download\">prior\u00a0campaign<\/a> that leveraged trojanized <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/02\/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes\">FileZilla installers<\/a> hosted on bogus sites to deploy the same RAT malware. The\u00a0activity was documented by Malwarebytes early last\u00a0month.<\/p>\n<p>Kaspersky said it has identified more than 150 victims, mostly individuals who were affected by the incident. However, organizations in retail, manufacturing, consulting, telecommunications, and agriculture have\u00a0also been\u00a0impacted. Most\u00a0of the infections are\u00a0located in Brazil, Russia, and\u00a0China.<\/p>\n<p>\u00abThe gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers,\u00bb Kaspersky said. \u00abThe overall malware development\/deployment and operational security capabilities of the threat actor behind this attack are quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it\u00a0started.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 12, 2026Malware \/ Threat Intelligence Unknown threat actors compromised CPUID (\u00abcpuid[.]com\u00bb), a website\u00a0that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for less than&hellip;<\/p>\n","protected":false},"author":1,"featured_media":570,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[278,1175,1178,1176,1180,1179,264,1177,259],"class_list":["post-569","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-breach","tag-cpuid","tag-cpuz","tag-distributes","tag-downloads","tag-hwmonitor","tag-rat","tag-stx","tag-trojanized"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=569"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/569\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/570"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}