CPUID Website Compromised to Distribute STX RAT Malware via CPU-Z and HWMonitor
Take action: If you downloaded CPU-Z, HWMonitor, or PerfMonitor between April 9–10, 2026, assume your system is compromised. Immediately change all your passwords (especially those saved in your browser), enable multi-factor authentication everywhere, and run a full security scan or reinstall your OS. Going forward, always verify software downloads by checking file signatures and hashes against the vendor's official published values before running any installer.
Learn More
CPUID, the French software company behind widely used hardware diagnostic tools CPU-Z and HWMonitor, suffered a supply chain attack on April 9–10, 2026, after threat actors compromised a backend API and manipulated download links on the official website to deliver trojanized executables.
The compromise lasted approximately six hours, between April 9, 15:00 UTC, and April 10, 10:00 UTC, during which the main website randomly displayed malicious links, although CPUID's signed original files were not themselves compromised. Users attempting to download legitimate tools were instead redirected to a Cloudflare R2 storage endpoint that served a malicious installer named HWiNFO_Monitor_Setup.exe deliberately mimicking the name of a different, unrelated monitoring tool to create confusion. The breach occurred while the main developer was away on holiday, giving attackers a window of opportunity before the issue was identified and resolved.
The attack affected the following CPUID software products and versions:
- CPU-Z (version 2.19)
- HWMonitor Pro (version 1.57)
- HWMonitor (version 1.63)
- PerfMonitor (version 2.04)
The trojanized installers contained a legitimate, signed executable bundled with a malicious DLL named CRYPTBASE.dll, which was used for DLL sideloading. The malware operated almost entirely in memory, used PowerShell to fetch additional payloads, and employed sophisticated techniques to evade endpoint detection and antivirus systems, including proxying NTDLL functionality from a .NET assembly.
According to analysis by Kaspersky and vx-underground, the malware featured a multi-stage loader with embedded shellcode, DNS-over-HTTPS for command-and-control communication, persistence through MSBuild and script-based execution, and a primary objective of credential theft targeting browser-stored data. The final payload was identified as STX RAT, an infostealer previously documented by eSentire. The same threat group was linked to a campaign targeting FileZilla users in early March 2026, using identical command-and-control infrastructure.
Based on Kaspersky's telemetry, more than 150 users downloaded a malicious variant of CPUID's products. While the majority of victims were individuals, several organizations in the retail, manufacturing, consulting, telecommunications, and agriculture sectors — primarily in Brazil, Russia, and China, were also affected.
It is worth noting that this incident comes on the heels of a separate, pre-existing vulnerability in the CPU-Z kernel driver, tracked as CVE-2025-65264 an information disclosure flaw in CPU-Z version 2.17 and earlier that allows local attackers with low privileges to access sensitive kernel memory through the driver's improperly validated IOCTL interface. A CVSS score has not yet been formally assigned by NVD for this vulnerability. CPUID addressed this flaw in the release notes for CPU-Z 2.19, which also references a fixed DLL hijacking vulnerability.
CPUID has confirmed that the breach has been remediated and the website now serves clean versions of all affected software. Users who downloaded CPU-Z or HWMonitor during the affected window should assume their system was compromised, change all passwords — particularly those stored in browsers: enable multi-factor authentication, and run thorough security scans or consider reinstalling their operating system. Kaspersky has published indicators of compromise covering the malicious files, DLLs, and URLs used in the attack.
