CPUID Breach Delivers Trojanized CPU-Z and HWMonitor Installers in Short-Lived Supply Chain Attack

A brief but high-impact compromise of CPUID’s official website has exposed a growing weakness in the modern software supply chain. For less than 24 hours, attackers hijacked download links for widely used system utilities, replacing legitimate installers with malware-laced packages designed to silently establish remote access on victim machines.

The incident, which unfolded between April 9 and April 10, targeted users attempting to download tools such as CPU-Z and HWMonitor. Instead of receiving clean binaries, some visitors were redirected to attacker-controlled infrastructure hosting trojanized versions of the software.

A Short Window, Broad Exposure

CPUID later confirmed that the breach stemmed from a compromise in a secondary API component, which intermittently injected malicious links into the site. The company noted that its original signed binaries were not altered, but the attack exploited the trust users place in official download channels.

Security researchers say the attackers distributed the malicious packages as both ZIP archives and standalone installers. Each bundle contained a legitimate signed executable paired with a weaponized DLL file disguised as “CRYPTBASE.dll.” This technique enabled DLL side-loading, allowing the malware to execute under the guise of trusted software.

Once executed, the malicious component initiated communication with external infrastructure and deployed additional payloads. The ultimate objective was to install STX RAT, a remote access trojan with capabilities that extend far beyond basic persistence.

STX RAT Enables Deep Post-Exploitation

Analysts describe STX RAT as a flexible post-exploitation tool that supports remote control, in-memory execution of payloads, reverse tunneling, and hidden virtual network computing. Its feature set also includes credential harvesting, browser data theft, and session hijacking.

The malware’s design emphasizes stealth. It incorporates anti-sandbox checks to evade automated analysis and executes much of its activity in memory to minimize forensic traces.

Researchers also linked the infrastructure used in this campaign to earlier attacks involving trojanized FileZilla installers, suggesting the operators are reusing tooling across multiple campaigns. That operational overlap helped defenders quickly identify and disrupt the activity.

Evidence Points to Ongoing Campaign

Threat intelligence indicates the CPUID compromise is not an isolated incident but part of a longer-running campaign that began as early as mid-2025. Early samples connected to the same command-and-control infrastructure, reinforcing the theory of a persistent threat actor leveraging repeated infection chains.

Investigators believe the group behind the activity is likely Russian-speaking and financially motivated, potentially operating as an initial access broker. These actors typically focus on gaining footholds that can later be sold or leveraged for larger intrusions.

While the majority of confirmed victims are individual users, organizations across multiple sectors have also been affected, including retail, manufacturing, telecommunications, and consulting environments. Infections have been most heavily observed in Brazil, Russia, and China.

Low Sophistication, High Impact

Despite the scale of the campaign, researchers noted that the attackers made operational mistakes, including reusing domains and infrastructure. That reuse reduced their ability to remain undetected and enabled faster attribution and response.

Still, the attack highlights a critical reality. Even relatively unsophisticated actors can achieve significant reach by compromising trusted distribution points.

Brian Hussey, SVP of Cyber Fusion at Cyderes, emphasized the strategic targeting behind the operation:

“This is a textbook supply chain attack targeting the exact people organizations rely on to defend them. IT administrators, security engineers, and data center operators who use HWMonitor as a matter of professional routine, and with CPU-Z alone counting tens of millions of users worldwide, the potential exposure here is enormous. The threat actor compromised CPUID's official download page to serve a trojanized installer that deployed STX RAT through a five-stage, fully in-memory malware chain designed to leave no forensic trace, stealing browser credentials, session cookies, and VPN access that can be used to pivot directly into enterprise networks. Any organization whose technical staff downloaded HWMonitor between April 9th and 10th should treat those machines as potentially compromised, verify file hashes against published IOCs, and revoke privileged credentials until they can confirm clean systems.”

Supply Chain Attacks Shift Upstream

The incident reflects a broader shift in attacker strategy. Instead of targeting users individually through phishing or fake websites, threat actors are increasingly compromising upstream distribution channels to achieve scale.

Isaac Evans, founder and CEO of Semgrep, said the trend is accelerating:

“Threat actors have gotten increasingly clever with their exploitation tactics, placing the software supply chain under real duress. Attackers going after the official download paths poses a different kind of problem for security teams than phishing lures or fake clone sites, since it entails that victims don’t even have to interact with the code to be impacted. Once the official source, update path, or build pipeline is compromised, the act of downloading, installing, or automatically pulling the latest version can be enough to trigger the attacker’s foothold before the user has a chance to spot anything unusual.

Taken together with the recent Trivy compromise, the broader trend is hard to miss: attackers are going upstream because it is more efficient to compromise trust once than to trick every target one by one. The goal is no longer just malware delivery, but silent access at scale through the tools organizations already trust most. For defenders, that means shifting from assumed trust to continuous verification, including pinned versions, stricter controls around build and release pipelines, and faster credential rotation when any part of the software supply chain looks suspect.”

What Security Teams Should Do Now

The fallout from the CPUID breach underscores a key lesson for enterprise security leaders. Trust in official sources is no longer sufficient.

Organizations should assume potential compromise if any system downloaded affected tools during the exposure window. Immediate actions include validating file hashes, rotating credentials, and reviewing privileged access for signs of misuse.

More broadly, the attack reinforces the need for stronger controls around software supply chains. That includes enforcing version pinning, monitoring build integrity, and treating even trusted update channels as potential attack surfaces.

As attackers continue to move upstream, the security model is shifting. Verification is replacing trust, and even routine downloads are becoming a frontline risk.