# CPUID Breach: Hackers Distributed STX RAT via Trojanized Hardware Monitoring Tools


A brief but critical supply chain compromise affected millions of system administrators and technology enthusiasts when unknown threat actors breached CPUID, a prominent provider of hardware diagnostic software, to distribute a remote access trojan. The attack lasted approximately 19 hours and served malicious versions of widely-trusted CPU monitoring applications to an unknown number of users.


## The Incident


On April 9, 2025, threat actors successfully compromised cpuid.com and replaced legitimate installation files with trojanized versions bundled with STX RAT, a remote access trojan capable of full system control. The compromise affected downloads of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor—tools relied upon by IT professionals, overclockers, system administrators, and hardware enthusiasts worldwide.


The malicious distribution window remained open for approximately 19 hours, from 15:00 UTC on April 9 through approximately 10:00 UTC on April 10. During this window, any user downloading these tools directly from CPUID's official website received compromised executables instead of legitimate software.


CPUID subsequently detected the compromise, restored clean versions of the affected software, and notified users. However, the exact number of systems infected with STX RAT remains unknown, and security researchers continue assessing the scope of the incident.


## Background and Context: Who Is CPUID?


CPUID is a trusted provider of system diagnostic and monitoring software with an established reputation spanning two decades. The company's flagship products are widely used in multiple constituencies:


| Product | Primary Users | Typical Use Cases |

|---------|--------------|-------------------|

| CPU-Z | Tech enthusiasts, overclockers, IT professionals | CPU/memory/GPU identification and benchmarking |

| HWMonitor | System administrators, hardware developers | Real-time hardware temperature and voltage monitoring |

| HWMonitor Pro | Enterprise IT departments | Advanced monitoring with logging and alerting |

| PerfMonitor | Performance analysts, developers | System performance profiling and optimization |


The legitimacy and ubiquity of CPUID's tools made them an attractive attack vector. System administrators routinely download these utilities to diagnose hardware issues, meaning a supply chain compromise at CPUID could distribute malware at significant scale.


## Technical Details: Understanding STX RAT


STX RAT is a remote access trojan that provides attackers with comprehensive control over infected systems. While limited public information exists about STX RAT specifically, remote access trojans in this category typically offer:


  • Full system access via command execution
  • File management (upload, download, modification, deletion)
  • Process monitoring and termination
  • Registry/configuration file access (Windows systems)
  • Credential harvesting from browser caches and credential managers
  • Persistence mechanisms to survive system reboots
  • Command and control (C2) communications for remote operator control

    • The trojanized executables were bundled with the legitimate CPUID software, meaning users who installed the compromised versions obtained both the expected monitoring tools and the hidden malware payload. This approach increases the likelihood of successful infection, as users would not immediately detect anomalous behavior—the software would function normally while STX RAT operated silently in the background.


    ## Attack Timeline


    | Date/Time (UTC) | Event |

    |-----------------|-------|

    | April 9, 15:00 | Compromise begins; malicious versions uploaded to cpuid.com |

    | April 9–10 | Unknown number of users download trojanized software |

    | April 10, 10:00 | CPUID detects the compromise |

    | April 10, post-detection | CPUID restores clean versions and begins notification process |

    | April 10+ | Security community notifies users; incident investigation ongoing |


    ## Implications for Organizations


    This incident highlights several critical vulnerabilities in modern software supply chains:


    ### Immediate Risks

  • Infected systems may be under attacker control, with threat actors capable of lateral movement, data exfiltration, and malware installation
  • Enterprise networks are at particular risk if administrators downloaded compromised versions while connected to corporate infrastructure
  • Credential compromise is likely, as RATs typically harvest stored credentials and session tokens
  • Continued persistence means attackers may retain access even after infection is detected, unless systems undergo complete remediation

    • ### Broader Supply Chain Concerns

  • Trust erosion: Even well-established vendors can be compromised, making software supply chain security increasingly difficult to ensure
  • Difficult detection: Legitimate software distribution channels can be weaponized, making traditional security controls less effective
  • Scale of exposure: Popular tools have millions of users, amplifying the potential impact of any compromise

    • ### Organizational Assessment Questions

    Organizations using CPUID tools should immediately ask:

  • Did our systems download from cpuid.com during the affected window (April 9, 15:00–April 10, 10:00 UTC)?
  • Which users or systems installed CPUID software during this period?
  • Do we have endpoint detection and response (EDR) tools that logged process execution on the installation date?
  • Have we noticed any suspicious network traffic, lateral movement, or unusual privilege escalation attempts?

    • ## Recommendations


    ### For Affected Users


    1. Assume compromise if you downloaded CPUID software during the affected window. Treat affected systems as potentially fully compromised.


    2. Isolate systems from production networks and conduct full forensic investigation before restoration.


    3. Restore from clean backups or perform complete OS reinstallation; malware removal alone may be insufficient if persistence mechanisms are in place.


    4. Reset all credentials on systems where credentials were stored or accessed, including cloud service tokens, SSH keys, and API credentials.


    5. Monitor network activity for indicators of compromise (IOCs) associated with STX RAT—request IOCs from your security team or CPUID directly.


    6. Update CPUID tools to the latest version from cpuid.com (now confirmed clean) only after systems have been fully remediated.


    ### For Security Teams


    1. Scan endpoint databases for CPUID tool installations with timestamps matching April 9–10, 2025.


    2. Review EDR/security logs for suspicious process execution, network connections, or credential access correlating with CPUID installation times.


    3. Check for IOCs associated with STX RAT—request indicators from threat intelligence feeds, CPUID, or security vendors.


    4. Implement application allowlisting to prevent unauthorized execution of remote access tools.


    5. Enable software source verification where possible to prevent installation of unsigned or tampered binaries.


    ### For the Broader Community


  • Use software signing and integrity verification to validate downloaded executables
  • Monitor supply chain security through threat intelligence feeds and vendor security bulletins
  • Implement zero-trust principles assuming any executable—even from trusted vendors—could be compromised
  • Maintain current backups to enable rapid recovery from supply chain compromises

    • ## Conclusion


    The CPUID compromise demonstrates that even established, trusted software vendors can become vectors for large-scale malware distribution. The incident serves as a reminder that trust in software vendors must be continuous and verified, not assumed based on historical reputation. Organizations should treat this incident as a catalyst to strengthen supply chain security practices, enhance monitoring and detection capabilities, and implement comprehensive incident response procedures for compromise scenarios affecting critical software dependencies.