CPUID Project Breach: STX RAT Distributed Through Poisoned Links

The cybersecurity landscape was shaken once again on April 9, 2026, when the official website for CPUID (cpuid.com) became the vector for a targeted supply-chain attack. For approximately 19 hours—from April 9, 15:00 UTC, to April 10, 10:00 UTC—the distribution mechanism for widely used hardware monitoring tools such as CPU-Z and HWMonitor was compromised. While the original software binaries remained signed and untampered with, the delivery infrastructure was effectively poisoned, redirecting unsuspecting users to malicious third-party servers. This incident, now known as the CPUID project breach, serves as a stark reminder of the inherent risks embedded in software distribution chains.

Anatomy of the Supply-Chain Compromise

The CPUID project breach was not a failure of the software development lifecycle itself, but rather an exploitation of the distribution architecture. According to official acknowledgments from the vendor, the threat actors gained unauthorized access to a secondary API that managed download redirection. This allowed the attackers to intercept legitimate traffic and serve a trojanized installer, identified as “HWiNFO_Monitor_Setup,” instead of the intended hardware diagnostic utility.

Security researchers, including those at Kaspersky and various threat intelligence organizations, highlighted that the malicious redirect occurred sporadically, effectively making the experience for a website visitor a “coin toss” between receiving legitimate software or a malware-laced payload. The threat actors leveraged external storage services, such as Cloudflare R2, to host these malicious files, distancing their infrastructure from the legitimate cpuid.com domain to evade immediate reputation-based filtering.

Technical Deep Dive: The STX RAT Execution Chain

The payload delivered during this campaign was the STX RAT (Remote Access Trojan). This sophisticated piece of malware has been under close observation since early 2026, frequently appearing in campaigns targeting financial institutions and now, increasingly, in opportunistic supply-chain attacks. The attack chain utilized a classic, yet effective, DLL sideloading technique.

The trojanized installer contained a legitimate, signed executable alongside a malicious file named CRYPTBASE.dll. When the 64-bit version of the hardware monitoring tool was launched, the application inadvertently loaded this malicious DLL, which was strategically placed in the same directory. This triggered a multi-stage, in-memory execution process designed specifically to bypass endpoint detection and response (EDR) systems:

• Anti-Sandbox Checks: Before initiating any malicious activity, the DLL performs comprehensive environment checks to identify the presence of virtualization software (such as VirtualBox, VMware, or QEMU). If analysis tools are detected, the malware enters a “jitter exit” state, involving randomized sleep delays to frustrate automated sandbox detonation.
• Reflective PE Loading: The STX RAT does not rely on writing traditional files to the disk. Instead, it utilizes reflective loading, where the malicious code is mapped directly into memory, significantly reducing the forensic footprint left on the host system.
• Layered Decryption: The payload employs layered bitwise transformations, including XXTEA decryption and Zlib decompression, to unpack the RAT’s final functional stages. This modular architecture allows the attacker to keep the core functional logic obfuscated until the very last moment.
• Stealth C2 Communication: The malware initiates communication with hardcoded command-and-control (C2) infrastructure—notably, domains such as welcome[.]supp0v3[.]com. The traffic is protected by modern cryptographic protocols, including X25519 for key exchange and ChaCha20-Poly1305 for integrity, ensuring that network analysts cannot easily inspect the data being exfiltrated.

The Impact: Credential Theft and Remote Control

The primary objective of the STX RAT delivered in the CPUID project breach is widespread data theft. Once the trojan gains a foothold, it establishes a persistent presence on the victim’s machine. Its capabilities are extensive, providing the threat actors with more than just basic administrative access:

• Credential Harvesting: The RAT specifically targets browser credential stores, cookies, and saved FTP configurations. It is designed to interact with browser-bound interfaces to decrypt and exfiltrate sensitive login information.
• Hidden Remote Desktop (HVNC): Perhaps the most alarming feature of STX RAT is its support for hidden Virtual Network Computing (HVNC). This allows the attacker to open a secondary, hidden desktop session on the victim’s computer. The user may continue to work on their primary desktop completely unaware that an attacker is interacting with their system, manipulating files, or launching further payloads in the background.
• Keylogging and Screen Capturing: Standard RAT functionality is present, enabling continuous monitoring of the victim’s activities, which is used to build a profile for further lateral movement within a corporate or private network.

Why Supply-Chain Attacks are Increasing

The CPUID project breach exemplifies a growing trend in modern cyber-warfare. Rather than attempting to break through hardened network perimeters of individual organizations, threat actors are increasingly targeting the software ecosystem itself. By compromising a trusted utility, they gain immediate, privileged access to thousands of endpoints simultaneously. This “force multiplier” effect is highly attractive to cybercriminal groups.

Furthermore, developers of utility software—often small, lean teams—are becoming attractive targets because they may lack the enterprise-grade security oversight required to protect auxiliary infrastructure like secondary APIs or automated build servers. As noted by researchers, the attackers behind this specific breach re-used infrastructure and tactics observed in previous campaigns, such as those targeting FileZilla, indicating a clear, repeatable playbook centered on abusing the trust inherent in software updates.

Remediation and Defensive Posture

Organizations and power users who may have downloaded or updated CPUID tools between April 9 (15:00 UTC) and April 10 (10:00 UTC) should operate under the assumption of a full system compromise. The stealthy nature of in-memory execution means that simple file-system scans may not be sufficient to identify an infection.

Recommended Actions for Impacted Users:

1. Endpoint Scans: Utilize advanced EDR or threat-hunting platforms to identify the presence of CRYPTBASE.dll or unexpected network activity targeting the C2 domains associated with this campaign.
2. Credential Reset: If an infected system was used to access sensitive accounts—especially financial, corporate, or administrative portals—assume those credentials have been exfiltrated and initiate a mandatory password reset.
3. Monitor Network Traffic: Block known indicators of compromise (IOCs) at the network perimeter. Specifically, monitor for outgoing connections to suspect R2 storage domains and the identified C2 infrastructure.
4. Software Integrity: Moving forward, verify the digital signatures of every downloaded installer, even if retrieved from an “official” source. While the original binaries were safe in this incident, the poisoned delivery link redirected users to a completely different, unsigned (or improperly signed) malicious package.

In conclusion, the CPUID project breach is a sobering milestone in the 2026 threat landscape. It underscores the vital need for robust integrity checks and a “zero-trust” approach to software distribution. As attackers shift their focus toward the trust-based vulnerabilities of the software supply chain, the burden of security must be shared more actively between software vendors and the users who rely on their tools for critical system diagnostics.