CPUID website hacked to serve malicious software

MW Community Team · 2026-04-12T18:58:07+08:00

Unknown threat actors compromised CPUID.com. The site hosts popular hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. The compromise lasted less than 24 hours. It ran from about 15:00 UTC on 9 April to about 10:00 UTC on 10 April. Attackers replaced the download URLs for CPU-Z and HWMonitor installers with links to malicious websites. They served malicious executables and deployed the remote access trojan known as STX RAT. CPUID confirmed the breach in a post on X. The company said the incident came from a compromise of a secondary feature. This side API caused the main site to randomly show malicious links. The attack did not affect the signed original files. Kaspersky identified the rogue websites as cahayailmukreatif.web.id, pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev, transitopalermo.com, and vatrobran.hr. The trojanized software appeared both as ZIP archives and as standalone installers. These files included a legitimate signed executable for the product together with a malicious DLL named CRYPTBASE.dll. The attackers used DLL side-loading. The malicious DLL contacts an external server. It performs anti-sandbox checks before it executes additional payloads. The final goal is to deploy STX RAT. This remote access trojan offers HVNC and broad infostealer functions. STX RAT provides a wide set of commands for remote control, follow-on payload execution, and post-exploitation actions. These include in-memory execution of EXE, DLL, PowerShell, or shellcode as well as reverse proxy and tunneling plus desktop interaction. The command-and-control server address and connection configuration match those used in a prior campaign. That earlier attack involved trojanized FileZilla installers on fake sites to deliver the same RAT. Malwarebytes documented that activity early last month. Kaspersky reported more than 150 victims. Most were individuals. Organisations in retail, manufacturing, consulting, telecommunications, and agriculture were also hit. Most infections occurred in Brazil, Russia, and China. The attackers reused the same infection chain with STX RAT and the same domain names for command-and-control communication from the previous FileZilla campaign. Their malware development, deployment, and operational security were limited. This allowed detection of the watering hole compromise soon after it began.

This topic has 0 replies, 1 voice, and was last updated 2 months ago by MW Community Team.

Viewing 1 post (of 1 total)

Posts

April 12, 2026 at 6:58 pm
MW Community Team
Moderator
insert_chart
Unknown threat actors compromised CPUID.com. The site hosts popular hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor.
The compromise lasted less than 24 hours. It ran from about 15:00 UTC on 9 April to about 10:00 UTC on 10 April.
Attackers replaced the download URLs for CPU-Z and HWMonitor installers with links to malicious websites. They served malicious executables and deployed the remote access trojan known as STX RAT.
CPUID confirmed the breach in a post on X. The company said the incident came from a compromise of a secondary feature. This side API caused the main site to randomly show malicious links. The attack did not affect the signed original files.
Kaspersky identified the rogue websites as cahayailmukreatif.web.id, pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev, transitopalermo.com, and vatrobran.hr.
The trojanized software appeared both as ZIP archives and as standalone installers. These files included a legitimate signed executable for the product together with a malicious DLL named CRYPTBASE.dll. The attackers used DLL side-loading.
The malicious DLL contacts an external server. It performs anti-sandbox checks before it executes additional payloads. The final goal is to deploy STX RAT. This remote access trojan offers HVNC and broad infostealer functions.
STX RAT provides a wide set of commands for remote control, follow-on payload execution, and post-exploitation actions. These include in-memory execution of EXE, DLL, PowerShell, or shellcode as well as reverse proxy and tunneling plus desktop interaction.
The command-and-control server address and connection configuration match those used in a prior campaign. That earlier attack involved trojanized FileZilla installers on fake sites to deliver the same RAT. Malwarebytes documented that activity early last month.
Kaspersky reported more than 150 victims. Most were individuals. Organisations in retail, manufacturing, consulting, telecommunications, and agriculture were also hit. Most infections occurred in Brazil, Russia, and China.
The attackers reused the same infection chain with STX RAT and the same domain names for command-and-control communication from the previous FileZilla campaign. Their malware development, deployment, and operational security were limited. This allowed detection of the watering hole compromise soon after it began.
Free image upload service- https://imgur.com/
0