CPUID Breach Distributes STX RAT via Trojanized Downloads

April 13, 2026 Faeem BLOGS 0

Popular hardware monitoring tools CPU-Z and HWMonitor were briefly compromised after attackers hijacked the CPUID website (cpuid[.]com) for less than 24 hours. During the incident, download URLs were replaced with malicious links serving STX RAT, a remote access trojan with broad infostealer and remote control capabilities.

Incident Overview

  • Timeline: April 9, 15:00 UTC – April 10, 10:00 UTC.
  • Attack vector: Compromise of a secondary API feature that caused the site to randomly display malicious links.
  • Distribution: Trojanized installers delivered as ZIP archives and standalone executables.
  • Technique: DLL side-loading using a malicious CRYPTBASE.dll alongside legitimate signed executables.

STX RAT Capabilities

  • HVNC (Hidden Virtual Network Computing) for stealth remote desktop access.
  • Infostealer functions: Harvests credentials, browser data, and sensitive files.
  • Command set: Supports in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, and desktop interaction.
  • Anti-sandbox checks: Evades detection before contacting external servers.

Related Campaigns

  • The same infection chain and C2 infrastructure were previously used in attacks involving trojanized FileZilla installers.
  • Reuse of domains and configuration made detection easier, exposing the attackers’ weak operational security.

Impact

  • Victims: Over 150 confirmed infections, mostly individuals, but also organizations in retail, manufacturing, consulting, telecom, and agriculture.
  • Geography: Most cases observed in Brazil, Russia, and China.

Defensive Guidance

  • Verify downloads: Always obtain CPU-Z, HWMonitor, and similar tools from official signed sources.
  • Check for rogue DLLs: Inspect installations for suspicious CRYPTBASE.dll files.
  • Monitor endpoints: Look for unusual outbound connections to domains like cahayailmukreatif.web[.]id, transitopalermo[.]com, and vatrobran[.]hr.
  • Incident response: If compromised, reset credentials, audit systems for persistence, and deploy updated endpoint detection rules.

Final Thought

This breach is a classic supply chain compromise, where trusted software downloads were weaponized to deliver malware. For users and enterprises, the lesson is clear: trust but verify

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.