A recent cybersecurity incident has revealed that unknown threat actors compromised CPUID, the developer behind widely used system tools like CPU-Z and HWMonitor, to distribute malware through trojanized software downloads. The breach allowed attackers to replace legitimate download links on the official website with malicious versions for a limited time window.
The attack occurred between April 9 and April 10, during which users attempting to download the tools were unknowingly served infected installers hosted on rogue domains. Despite the breach, CPUID confirmed that its original signed files remained secure, and the issue stemmed from a compromised secondary API that redirected users to malicious sources.
The infected packages were designed to deploy a remote access trojan known as STX RAT. These trojanized files included both legitimate executables and a malicious DLL file named “CRYPTBASE.dll,” which leveraged DLL side-loading techniques to execute harmful payloads without raising immediate suspicion.
Once activated, the malware connected to external servers to download additional payloads while performing anti-sandbox checks to evade detection. The STX RAT provides attackers with extensive control over compromised systems, enabling remote command execution, in-memory payload deployment, reverse proxy tunneling, and even direct desktop interaction.
Security researchers noted that the command-and-control infrastructure used in this campaign overlaps with earlier attacks that distributed similar malware through trojanized installers of other software, indicating a broader, ongoing threat campaign.
The incident highlights the growing risk of software supply chain attacks, where trusted platforms are exploited to distribute malware at scale. Experts advise users who downloaded affected files during the breach window to immediately scan their systems and rotate all sensitive credentials to mitigate potential compromise.
