CPUID Compromise Serves Trojanized CPU‑Z and HWMonitor, Deploying STX RAT to Users
What Happened — Threat actors seized control of the CPUID download portal (cpuid.com) for less than 24 hours (April 9 15:00 UTC – April 10 10:00 UTC). During that window the site delivered trojanized versions of popular hardware‑monitoring utilities—CPU‑Z, HWMonitor, HWMonitor Pro, and PerfMonitor—that silently installed the STX remote‑access trojan (RAT).
Why It Matters for TPRM
- Demonstrates how a trusted third‑party software distribution point can become a conduit for malware, bypassing traditional perimeter defenses.
- STX RAT provides full system control, enabling credential theft, lateral movement, and data exfiltration across the victim’s environment.
- Organizations that rely on free utilities for asset inventory or endpoint health are exposed without any direct contractual relationship with CPUID.
Who Is Affected – IT and security teams across all sectors that download or auto‑update CPU‑Z, HWMonitor, HWMonitor Pro, or PerfMonitor during the compromise window; OEMs and managed‑service providers that bundle these tools for internal use.
Recommended Actions
- Block downloads from
cpuid.comuntil the site publishes a clean‑hash verification. - Verify the integrity of any previously obtained CPU‑Z/HWMonitor binaries using official SHA‑256 hashes.
- Deploy endpoint detection and response (EDR) rules to hunt for STX RAT indicators (file names, C2 domains, registry changes).
- Review third‑party software vetting processes: enforce hash‑based verification, maintain an approved‑software whitelist, and monitor supply‑chain risk feeds.
Technical Notes – Attack vector: compromise of a legitimate software download site (third‑party dependency). Malware: STX RAT (remote‑access trojan). No public CVE associated; the payload was a repackaged executable. Data at risk includes system credentials, network topology, and any data the RAT can access. Source: The Hacker News