CPUID Supply Chain Attack: Trojanized CPU-Z & HWMonitor Spread STX RAT to Global Victims
In a significant software supply chain attack, unknown threat actors briefly compromised the official website of CPUID (cpuid[.]com), a trusted provider of hardware monitoring tools. During the breach window, legitimate download links for widely used utilities CPU-Z and HWMonitor were replaced with trojanized installers designed to deploy a sophisticated Remote Access Trojan (RAT) known as STX RAT.
Attack Overview
The attackers exploited the trust users place in CPUID’s software ecosystem. By embedding malicious payloads into legitimate installers, they ensured high infection rates without raising immediate suspicion. Security researchers estimate that over 150 victims across multiple countries and industries were affected during the short-lived compromise.
- Primary vector: Trojanized CPU-Z and HWMonitor installers
- Malware deployed: STX RAT
- Technique: DLL side-loading using malicious CRYPTBASE.dll
- Scope: Multi-industry, global impact
Technical Breakdown: DLL Side-Loading Abuse
The attack leveraged a well-known technique called DLL side-loading. The malicious installer included a rogue CRYPTBASE.dll file, which was loaded by the legitimate application during execution.
This allowed attackers to:
- Bypass traditional security controls
- Execute malicious payloads under trusted processes
- Maintain persistence on infected systems
Once executed, the malicious DLL decrypted and deployed the STX RAT payload in memory, making detection even more challenging.
STX RAT Capabilities
STX RAT is a powerful remote access trojan designed for espionage and control. Its capabilities include:
- Remote command execution
- File exfiltration and data theft
- Keystroke logging
- System reconnaissance
- Persistence mechanisms
The malware also incorporated anti-sandbox and anti-analysis techniques, allowing it to evade detection in virtualized environments commonly used by security researchers.
Impact and Statistics
Although the breach duration was limited, its impact was notable:
- 150+ confirmed victims across regions
- Targets included IT professionals, enterprises, and enthusiasts
- High-risk exposure due to administrative privileges often used with hardware tools
The incident underscores how even trusted utility software can become a vector for widespread compromise when distribution channels are breached.
Why This Attack Matters
This incident highlights a growing trend in cybersecurity: supply chain attacks targeting trusted software providers. Rather than attacking users directly, adversaries compromise the distribution source itself, dramatically increasing success rates.
Key concerns include:
- Trust exploitation of legitimate software vendors
- Difficulty in detecting signed or trusted executables
- Rapid global spread due to popular tools
Mitigation and Recommendations
Organizations and individuals should adopt the following measures:
- Verify file hashes before installation
- Download software only from verified and monitored sources
- Use endpoint detection and response (EDR) tools
- Monitor unusual DLL loading behavior
- Implement application allowlisting
Additionally, vendors must strengthen their infrastructure security and implement integrity verification mechanisms such as code signing and secure distribution pipelines.
NeuraCyb's Assessment
The CPUID breach serves as a stark reminder that even widely trusted tools can become attack vectors when supply chains are compromised. As threat actors continue to refine their tactics, organizations must prioritize proactive security measures and adopt a zero-trust approach to software downloads.
Reference Links and Sources
