Full Report
Unknown threat actors compromised CPUID ("cpuid[.]com"), a website that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for less than 24 hours to serve malicious executables for the software and deploy a remote access trojan called STX RAT. The incident lasted from approximately April 9, 15:00 UTC, to about April 10, 10:00 UTC, with
Analysis Summary
# Incident Report: CPUID Website Compromise and STX RAT Distribution
## Executive Summary
Unknown threat actors compromised the official CPUID website to conduct a watering hole attack, replacing legitimate download links for tools such as CPU-Z and HWMonitor with malicious redirects. The attack delivered "STX RAT," a sophisticated remote access trojan with info-stealing and HVNC capabilities, via a DLL side-loading technique. The incident was quickly contained due to the threat actor's reuse of known infrastructure, limiting the window of exposure to less than 24 hours.
## Incident Details
- **Discovery Date:** April 10, 2026
- **Incident Date:** April 09, 2026, 15:00 UTC – April 10, 2026, 10:00 UTC
- **Affected Organization:** CPUID (cpuid[.]com)
- **Sector:** Software Development / Hardware Utilities
- **Geography:** Global (Primary impact in Brazil, Russia, and China)
## Timeline of Events
### Initial Access
- **Date/Time:** April 09, 2026, 15:00 UTC
- **Vector:** Compromise of a "secondary feature" (side API) on the CPUID main website.
- **Details:** The compromised API caused the website to randomly replace legitimate software download links with URLs pointing to malicious domains.
### Lateral Movement
- **Details:** No lateral movement within CPUID internal networks was reported; the attack was focused on front-end delivery (Watering Hole) to infect end-users.
### Data Exfiltration/Impact
- **Details:** Over 150 victims identified, including individuals and organizations in retail, manufacturing, consulting, and telecommunications. STX RAT was deployed to gain full remote control and steal sensitive data from target machines.
### Detection & Response
- **Discovery:** Rapidly identified by security researchers (Kaspersky, eSentire) and the CPUID team due to the reuse of C2 infrastructure from a previous FileZilla-themed campaign.
- **Response Actions:** CPUID disabled the compromised API and restored legitimate links; public disclosure was made via social media (X/Twitter).
## Attack Methodology
- **Initial Access:** Website compromise / Watering Hole attack via side API manipulation.
- **Persistence:** STX RAT installation provides persistent remote access and HVNC (Hidden Virtual Network Computing).
- **Defense Evasion:** Use of DLL side-loading (malicious `CRYPTBASE.dll` alongside a legitimate signed executable) and anti-sandbox checks.
- **Discovery:** Malware performs internal environment reconnaissance to check for analysis tools before execution.
- **Lateral Movement:** STX RAT features include reverse proxy and tunneling for network pivoting.
- **Collection:** Infostealer capabilities targeting credentials and system data.
- **Exfiltration:** Data sent to hardcoded C2 servers re-used from previous campaigns.
- **Impact:** Complete system compromise and unauthorized remote control.
## Impact Assessment
- **Financial:** Unknown; potential for theft via infostealer modules.
- **Data Breach:** Sensitive system information and credentials from at least 150 victims.
- **Operational:** Temporary disruption of software distribution for CPUID; compromise of end-user systems.
- **Reputational:** Brief loss of trust in a highly-trafficked site for hardware enthusiasts and IT professionals.
## Indicators of Compromise
- **Network Indicators:**
- cahayailmukreatif.web[.]id
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev
- transitopalermo[.]com
- vatrobran[.]hr
- **File Indicators:**
- `CRYPTBASE.dll` (Malicious loader)
- Trojanized ZIP and EXE installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor.
- **Behavioral Indicators:**
- Legitimate signed binaries launching unsigned or rogue DLLs from the same directory (DLL side-loading).
## Response Actions
- **Containment:** Removal of the malicious side API on cpuid[.]com.
- **Eradication:** Identification and blacklisting of the attacker's C2 infrastructure by security vendors.
- **Recovery:** Restoration of the original, legitimate download links.
## Lessons Learned
- **Secondary Feature Vulnerabilities:** Third-party or secondary APIs on a primary domain can serve as a weak link, even if the main site architecture is robust.
- **Infrastructure Reuse:** Threat actors often reuse C2 domains across different campaigns (e.g., FileZilla and CPUID), which assists defenders in rapid identification.
- **DLL Side-Loading remains effective:** Attackers continue to leverage the trust of signed binaries to load malicious code.
## Recommendations
- **For CPUID:** Perform a full security audit of all side APIs and third-party integrations; implement subresource integrity (SRI) and stricter access controls for web-facing components.
- **For Users:** Always verify file hashes (MD5/SHA256) against official documentation and be wary of redirects to unfamiliar domains during download processes.
- **For Organizations:** Implement EDR/AV solutions capable of detecting DLL side-loading and monitoring for known STX RAT C2 communication patterns.