Threat actors compromised the CPUID website and spread STX RAT through fake CPU-Z and HWMonitor downloads.
Attackers breached the website CPUID and replaced download links for CPU-Z and HWMonitor with malicious files for several hours. Users who downloaded them got infected with the STX RAT, giving attackers remote access to their systems. The short attack window still exposed many users to compromise.
Investigations show attackers compromised a secondary API for about six hours, causing the site to display malicious links. The maintainers of the website confirmed that the original signed files remain safe, and the issue has been fixed.
Here is the small statement I sent to everyone…
— Doc TB (@d0cTB) April 10, 2026
Hi,
Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display⌠https://t.co/ZfHRoWwkOM
Kaspersky reported that on April 9, 2026, the CPUID website was compromised, and download links for tools like CPU-Z and HWMonitor were redirected to malicious domains for several hours. Attackers used these sites to distribute infected installers, and Kaspersky published related indicators of compromise.
“We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced” states Kaspersky. “with URLS to the following malicious websites:
- vatrobran[.]hr.
- cahayailmukreatif.web[.]id;
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev;
- transitopalermo[.]com;
Kaspersky found that attackers distributed trojanized CPU-Z and HWMonitor installers with a malicious DLL (âCRYPTBASE.dllâ) using DLL sideloading. The DLL handled C2 communication, anti-sandbox checks, and payload delivery, reusing infrastructure from a previous fake FileZilla campaign.
“The interesting part here is that the attackers reused both the C2 address and the connection configuration from the March 2026 campaign where the attackers hosted a fake FileZilla (an open-source FTP client) site distributing malicious downloads.” continues the report. “The configuration embedded in the DLL is presented further. The âreferrerâ field in the configuration equals âcpzâ which tends to be a shorthand for âCPU-Zâ.”
The attack ultimately deployed a sophisticated RAT after multiple staged loaders. Attackers reused the known STX RAT, making detection easier thanks to existing rules. Despite compromising a popular software site, they failed to evade detection. Researchers found over 150 victims, mainly individuals but also organizations across multiple sectors, with most cases in Brazil, Russia, and China.
Kaspersky experts advise checking DNS logs and systems for signs of infection.
“Compared to other recently occurred watering hole and supply chain attacks, such as the Notepad++ supply chain attack, the attack on the cpuid.com website was orchestrated quite poorly.” concludes the report. “The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs â hacking, CPUID)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/190702/malware/cpuid-watering-hole-attack-spreads-stx-rat-malware.html