Hackers Hijack CPUID Download Site, Distribute STX RAT via Watering‑Hole Attack
What Happened — Between 15:00 UTC on April 9 and 10:00 UTC on April 10, CPUID’s download API was compromised, causing legitimate download pages to redirect to malicious archives that bundled a signed installer with a malicious CRYPTBASE.dll. The DLL used sideloading to load the STX Remote Access Trojan, which then contacted a C2 server (supp0v3.com) for further payload delivery.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely‑used utility vendor can expose downstream customers to ransomware‑grade RATs.
- Attack leveraged a trusted domain and signed binaries, making detection harder for endpoint tools.
- Highlights the need for continuous monitoring of third‑party software distribution channels and verification of code signatures.
Who Is Affected — Technology / SaaS vendors, hardware manufacturers, IT service providers, and any organization that downloads CPUID utilities (HWMonitor, CPU‑Z, etc.) for internal use.
Recommended Actions —
- Immediately halt use of CPUID downloads until integrity can be verified.
- Verify existing installations with hash checks against official vendor hashes; re‑install from trusted sources if needed.
- Deploy detection rules for the STX RAT (e.g., CRYPTBASE.dll, C2 domain supp0v3.com).
- Review CPUID’s security posture and consider alternative utilities with stronger supply‑chain controls.
Technical Notes — Attack vector: compromised secondary API causing URL redirection (THIRD_PARTY_DEPENDENCY). Malware employed DLL sideloading via a malicious CRYPTBASE.dll, performed anti‑sandbox checks, and connected to a Russian‑linked C2 domain hosted on bullet‑proof infrastructure. Signed binaries remained intact; only the download links were poisoned. Source: Help Net Security