# CPUID Website Compromised: Malicious CPU-Z and HWMonitor Distribute STX RAT Malware


A significant supply chain attack has surfaced as threat actors compromised CPUID, the website hosting popular hardware diagnostic tools CPU-Z and HWMonitor. Attackers replaced legitimate download links with trojanzied versions designed to distribute STX RAT, a remote access trojan, to unsuspecting users seeking to diagnose and monitor their computer hardware.


## The Attack Overview


The compromise represents a serious threat to the security of end-user systems globally. CPUID, a well-established provider of system diagnostic software trusted by millions of users, became an unwitting vector for malware distribution after attackers successfully breached the company's web infrastructure.


Key Details:

  • Affected Software: CPU-Z and HWMonitor
  • Malware Distributed: STX RAT (remote access trojan)
  • Attack Vector: Compromised download links on CPUID's official website
  • Threat Actor: Russian-speaking actors
  • Impact Scope: Unknown number of users who downloaded affected versions during the compromise window

    • The attack highlights the continued risk of supply chain compromises, where threat actors target widely-used software providers to maximize their reach and gain access to diverse target systems.


    ## Background and Context


    CPU-Z and HWMonitor are legitimate, widely-used utilities in the IT and enthusiast communities. CPU-Z provides detailed information about a computer's processor, including real-time frequency, temperature, and cache specifications. HWMonitor is a hardware monitoring tool that tracks CPU, GPU, and system temperatures, voltages, and fan speeds.


    Why These Tools Matter:

  • Used by IT professionals for system diagnostics
  • Popular among overclockers and hardware enthusiasts
  • Trusted by millions of users globally
  • Downloaded frequently from CPUID's official website

    • By compromising the download infrastructure for these legitimate tools, attackers positioned themselves to distribute malware to a highly diverse victim pool—from corporate IT environments to home users and research institutions. This type of attack is particularly insidious because users visited the official CPUID website expecting to download safe, trusted software.


    ## The Malware: STX RAT


    STX RAT is a remote access trojan that provides attackers with unauthorized control over compromised systems. While details about its specific capabilities remain limited, RATs of this type typically enable threat actors to:


  • Execute arbitrary commands on victim machines
  • Steal sensitive files and credentials
  • Capture screenshots and keyboard input
  • Install additional malware payloads
  • Establish persistence for long-term access
  • Exfiltrate data to attacker-controlled servers

    • The fact that this malware emerged recently suggests it may be a newly developed or repurposed tool from an emerging threat group. Russian-speaking threat actors have historically been associated with both financially-motivated cybercrime and espionage operations.


    ## Technical Details


    ### How the Compromise Occurred


    While CPUID has not disclosed the precise attack vector, common methods for website compromise include:


  • Vulnerable web server software – Unpatched software with known exploits
  • Weak credentials – Compromised administrative accounts or FTP access
  • Supply chain compromise – Compromise of a third-party service used by CPUID
  • Malicious insider activity – Employee credentials misused by threat actors

    • Once inside CPUID's web infrastructure, attackers modified the download links to point to servers hosting trojanzied versions of the software rather than legitimate binaries.


    ### Detection and Analysis


    Security researchers analyzing the trojanzied downloads found that:

  • The malware was bundled within legitimate-looking installer files
  • The trojanzied versions maintained the appearance and partial functionality of genuine CPU-Z and HWMonitor
  • Upon execution, the malware quietly installed STX RAT alongside the legitimate software

    • This technique—bundling malware with legitimate software—is particularly effective because users may not notice abnormal behavior immediately, especially if the legitimate tool functions as expected.


    ## Implications for Organizations and Users


    ### Immediate Risks


    Organizations and individuals who downloaded CPU-Z or HWMonitor during the compromise window face several risks:


  • System Compromise – STX RAT provides attackers persistent remote access
  • Credential Theft – Attackers can harvest credentials stored on infected systems
  • Lateral Movement – Compromised systems can serve as entry points to corporate networks
  • Data Exfiltration – Sensitive files and information could be stolen
  • Ransomware Deployment – Attackers may use compromised systems for ransomware deployment

    • ### Broader Concerns


    This incident underscores several critical security challenges:


    | Concern | Impact |

    |---------|--------|

    | Supply Chain Vulnerabilities | Attackers increasingly target software providers to distribute malware at scale |

    | Trust Erosion | Users cannot reliably distinguish legitimate downloads from compromised ones |

    | Detection Delays | Determining the compromise timeline and number of affected downloads |

    | Attribution Difficulty | Identifying Russian-speaking actors requires sophisticated forensics |

    | Remediation Complexity | Users must clean infected systems without knowing exact infection vectors |


    ### Enterprise Risk Assessment


    For organizations, this incident presents several risks:


  • Widespread Potential Exposure – CPU-Z and HWMonitor are commonly used in IT departments for diagnostics
  • Difficult Inventory – Organizations may not track which systems downloaded these tools
  • Long-Term Persistence – STX RAT could remain undetected for extended periods
  • Regulatory Implications – Data breaches resulting from this compromise could trigger compliance obligations

    • ## Detection and Response Recommendations


    ### Immediate Actions


    1. Stop Using Affected Versions – Cease downloading or using CPU-Z and HWMonitor until CPUID confirms the compromise is resolved

    2. Check Download Dates – Determine if your systems downloaded these tools during the compromise window (specific dates to be confirmed by CPUID)

    3. Scan for Malware – Run comprehensive antivirus and anti-malware scans on affected systems

    4. Check for Indicators of Compromise (IOCs) – Monitor for STX RAT command-and-control communication


    ### Detection Indicators


    Security teams should monitor for:

  • Suspicious network connections – Outbound connections to unknown IP addresses from systems that downloaded these tools
  • Process execution anomalies – Unexpected processes spawned by CPU-Z or HWMonitor
  • Registry modifications – Changes indicating persistence mechanisms
  • File system activity – New files or modifications in system directories following installation

    • ### Longer-Term Measures


  • Keep Security Software Updated – Ensure antivirus and EDR solutions can detect STX RAT variants
  • Monitor CPUID Communications – Subscribe to CPUID's security advisories for official guidance
  • Re-download from Verified Sources – Once CPUID confirms the infrastructure is secure, re-download tools with checksum verification
  • Review Access Logs – Examine authentication logs for suspicious activity on potentially compromised systems

    • ## Recommendations for Software Users


    1. Verify Official Downloads – Always download software directly from official websites and verify checksums when available

    2. Use Alternative Tools – Consider using alternative hardware monitoring solutions from reputable vendors

    3. Implement Zero Trust – Assume that any downloaded software could be compromised and employ application whitelisting and execution controls

    4. Maintain Backups – Ensure critical data is backed up separately from production systems

    5. Stay Informed – Follow security advisories and threat intelligence feeds for updates on this incident


    ## Conclusion


    The CPUID compromise represents a significant supply chain attack with potentially widespread implications. By targeting popular hardware diagnostic tools, threat actors positioned themselves to distribute malware to a large and diverse user base. Organizations and individuals must act quickly to identify potentially affected systems, remediate infections, and prevent lateral movement within their networks.


    This incident reinforces the critical importance of supply chain security, software verification practices, and proactive threat hunting. As software supply chains become increasingly complex, the need for robust security controls and threat intelligence becomes more essential than ever.


    Status Update Pending: CPUID has been notified of the compromise. Users should monitor the company's official channels for updates on the incident scope, timeline, and recommended remediation steps.