In This Article
01How the Attack Unfolded: 19 Hours Inside CPUID’s Infrastructure
02The STX RAT Payload: Capabilities, Delivery, and Why It’s Dangerous
03Victim Profile: Who Was Hit and What Sectors Were Exposed
04Lessons Learned: Software Supply Chain Risk in the Developer Tooling Space
05Frequently Asked Questions
~19-Hour Breach Window
STX RAT Payload
5 Industry Sectors Hit
Supply chain attacks are frightening precisely because they exploit trust — and few tools carry more implicit trust among Windows power users and IT professionals than CPU-Z and HWMonitor, the system diagnostics utilities distributed by CPUID. On April 9–10, 2026, attackers turned that trust into a weapon: for approximately 19 hours, anyone who visited cpuid.com and downloaded what appeared to be a legitimate installer received something far more dangerous — a trojanized package quietly deploying the STX RAT, one of the most capable remote access trojans currently observed in the wild. At least 150 victims across five industry sectors are now confirmed compromised.
How the Attack Unfolded: 19 Hours Inside CPUID’s Infrastructure
The breach window ran from approximately April 9, 2026, at 15:00 UTC to April 10, 2026, at 10:00 UTC — 19 hours during which cpuid.com served malicious content without triggering automated alerts that would prompt remediation. The attackers accessed CPUID’s web infrastructure and surgically replaced the legitimate download URLs for both CPU-Z and HWMonitor with links pointing to trojanized installer packages hosted on attacker-controlled infrastructure.
The modification was deliberately minimal — the visual presentation of the download pages remained unchanged, and the file names mimicked legitimate installer naming conventions exactly. Users who had previously bookmarked or linked directly to CPUID’s download pages received no visual warning that anything was amiss. Even security-conscious users who checked file sizes might not have noticed, as the trojanized packages were padded to approximate the expected file size.
The delivery mechanism relied on a particularly elegant technique: DLL side-loading via a malicious CRYPTBASE.dll. The trojanized installer placed this crafted DLL alongside a legitimate signed executable, causing Windows to load the malicious library through the normal DLL search order — entirely bypassing application allowlisting controls that check the main executable’s signature rather than its dependencies.
Key Insight
DLL Side-Loading: The Trusted Process Bypass
By injecting CRYPTBASE.dll alongside a legitimately-signed binary, attackers bypassed code-signing and application control checks entirely. The OS loads the malicious library automatically — meaning every security tool that validates the parent process’s signature is effectively blind to the compromise.
The STX RAT Payload: Capabilities, Delivery, and Why It’s Dangerous
The STX RAT is not a commodity tool. Researchers analyzing the payload describe a sophisticated remote access trojan with a feature set that suggests development resources and operational security discipline well beyond typical cybercriminal tooling. Its most dangerous characteristic is in-memory execution — the RAT’s core modules never write a conventional executable to disk in their active form, making them invisible to file-based detection by endpoint security products scanning the filesystem.
The full capability stack includes Hidden Virtual Network Computing (HVNC) — allowing attackers to operate a fully interactive desktop session on the victim machine without the user’s knowledge, with no taskbar indication or cursor movement visible to the machine’s legitimate user. Coupled with an integrated infostealer module that exfiltrates credentials, browser cookies, saved passwords, and cryptocurrency wallet files, and a reverse proxy capability that can route further attacker traffic through the compromised host, STX RAT provides essentially complete operational control of an infected machine.
Command-and-control communications are encrypted and designed to blend with legitimate HTTPS traffic patterns, complicating network-level detection. Kaspersky researchers, who were among the first to publish detailed technical analysis of the payload, described it as among the more capable RATs observed in recent campaigns — suggesting either a well-funded threat actor or one with access to high-quality commercial crimeware.
Key Insight
HVNC + In-Memory Execution = Effectively Invisible to Standard Defenses
Standard EDR and AV solutions that rely on file-system scanning or process injection detection miss STX RAT’s HVNC sessions entirely. Victims may be fully compromised — credentials stolen, sessions hijacked — without any alert triggering. Behavioral detection and memory scanning are the only reliable countermeasures.
Victim Profile: Who Was Hit and What Sectors Were Exposed
Kaspersky’s analysis identified over 150 confirmed victims across five distinct industry verticals: retail, manufacturing, telecommunications, consulting, and agriculture. The geographic distribution spans Brazil, Russia, and China, suggesting either a globally dispersed threat actor or a case where the infected software’s popularity across these markets drove the victim distribution organically.
The sector spread is notable because it suggests the attackers were not targeting a specific industry vertical — they were harvesting opportunistically from the pool of IT and engineering professionals who routinely use CPU-Z and HWMonitor for hardware diagnostics. These are tools disproportionately used by system administrators, hardware engineers, and IT operations staff — precisely the individuals with the elevated privileges and network access that make a RAT infection maximally valuable.
The 150+ figure represents confirmed forensic cases and almost certainly understates the true victim count. Many infections may not yet be detected given STX RAT’s in-memory execution model, and organizations in the affected sectors should treat any CPU-Z or HWMonitor download during the April 9–10 window as a confirmed compromise requiring full incident response procedures.
Key Insight
150+ Confirmed Is a Floor, Not a Ceiling
STX RAT’s in-memory execution means many infections remain undetected by file-scanning tools. Organizations where staff downloaded CPUID software during the 19-hour window should initiate proactive memory forensics rather than waiting for an alert — by the time file-based detection fires, credential theft may already be complete.
Lessons Learned: Software Supply Chain Risk in the Developer Tooling Space
The CPUID breach joins a growing canon of software supply chain attacks that exploit the implicit trust users place in well-known utility software. SolarWinds, 3CX, and now CPUID share a common attack surface: organizations that maintain high-trust software distributions but whose web infrastructure security may not match the level of trust their users extend to their products.
For security teams, this incident reinforces several tactical imperatives. First: hash verification of downloads from any software vendor is essential — not just trust-by-reputation. CPUID publishes SHA256 hashes for legitimate releases; any download during the breach window that doesn’t match historical known-good hashes should be treated as malicious immediately. Second: privileged user device isolation is not optional. System administrators running diagnostic utilities on domain-connected machines with elevated privileges create an attack surface that single-handedly justifies the effort of a supply chain compromise.
The broader lesson for the industry is systemic: the open distribution model that makes developer and IT utility software accessible and useful is the same model that makes it an attractive attack vector. Until code signing, reproducible builds, and automatic binary verification become standard requirements for all software in the IT professional tooling category, supply chain attacks of this type will continue to yield high-value victims from a single well-executed infrastructure compromise.
Key Insight
Supply Chain Trust Is the Attack Surface — Not the Software Itself
Attackers didn’t need to compromise CPU-Z’s codebase — they only needed to compromise cpuid.com’s download infrastructure for 19 hours. The lesson: trust in the vendor name is insufficient. Hash verification, binary transparency logs, and mandatory signing of the complete distribution chain are the minimum required controls.
Frequently Asked Questions
What happened to the CPUID website in April 2026?
Attackers compromised cpuid.com for approximately 19 hours between April 9–10, 2026, replacing legitimate CPU-Z and HWMonitor download links with trojanized installers that deployed the STX RAT malware via DLL side-loading.
What is STX RAT and what can it do?
STX RAT is a sophisticated remote access trojan featuring Hidden VNC (invisible desktop sessions), in-memory execution (evades file-based detection), a reverse proxy, and an infostealer module that exfiltrates credentials, browser cookies, and cryptocurrency wallets.
How many victims were affected by the CPUID breach?
Kaspersky confirmed at least 150 victims across retail, manufacturing, telecom, consulting, and agriculture in Brazil, Russia, and China. The actual victim count is likely higher, as STX RAT’s in-memory execution evades many standard detection tools.
How was the malware delivered technically?
The trojanized installer placed a malicious CRYPTBASE.dll alongside a legitimately signed executable. Windows’s DLL search order caused the OS to load the malicious library automatically — bypassing application allowlisting controls that only check the main executable’s signature.
What should organizations do if they downloaded CPU-Z during the breach window?
Treat any download between April 9 15:00 UTC and April 10 10:00 UTC as a confirmed compromise. Initiate full incident response: memory forensics, credential rotation across all accounts accessible from the affected machine, network traffic review for C2 communication, and isolation of the device pending full remediation.
Every week, the biggest stories distilled into clear analysis you can act on.