CPUID Supply Chain Attack: Trojanized CPU-Z Distributes STX RAT

The hardware utility provider CPUID, known for ubiquitous tools such as CPU-Z and HWMonitor, recently suffered a Supply Chain Attack that resulted in the distribution of malicious software. According to The Hacker News, unknown threat actors compromised the official cpuid[.]com website for a duration of approximately 19 hours. During this window, legitimate download links were replaced with trojanized executables designed to install the STX RAT on victim systems.

Technical Analysis of the CPUID Website Compromise

The incident occurred between April 9, 2026, at 15:00 UTC and April 10, 2026, at 10:00 UTC. During this period, any user attempting to download CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor may have received a malicious package. The TTP used in this campaign mirrors other recent supply chain incidents where trusted software distribution platforms are leveraged to bypass perimeter defenses.

The primary payload delivered in this attack is the STX RAT, a remote access tool. Once executed, the malware establishes C2 communications, allowing attackers to perform a variety of unauthorized actions. These include file exfiltration, keystroke logging, and potentially facilitating Lateral Movement within the compromised network. Because hardware monitoring tools often require administrative permissions to interact with system sensors and low-level components, the initial execution of the trojanized installer provides a streamlined path for Privilege Escalation.

STX RAT Indicators of Compromise and Behavior

Defenders analyzing systems for STX RAT presence should focus on unusual outbound network traffic originating from hardware monitoring processes. Analysts are searching for “how to detect STX RAT in hardware monitoring tools” to identify persistence mechanisms such as registry key modifications or scheduled tasks created during the infection phase.

Security teams should look for STX RAT indicators of compromise such as connections to non-standard ports or suspicious subdomains that do not align with the legitimate CPUID update infrastructure. The malicious files served during the breach were visually indistinguishable from the legitimate utilities, often retaining the original icons and metadata to deceive users. However, the cryptographic hashes of these files do not match the official releases from CPUID. In a SOC environment, cross-referencing file hashes against known-good baselines is the most reliable method for identification.

### CPUID Supply Chain Attack Mitigation and Response

Organizations that downloaded or updated CPUID software within the identified 24-hour window must treat those systems as potentially compromised. The following steps should be prioritized as part of an immediate response:

• Hash Verification: Compare the SHA-256 hashes of all CPUID executables currently in the environment against the legitimate hashes provided by the vendor post-remediation.
• Endpoint Scanning: Use EDR solutions to perform full-disk scans and look for specific IoC associated with the STX RAT.
• Log Analysis: Review SIEM logs for any connections to suspicious IP addresses or domains during the breach window.

Implementing a Zero Trust architecture can limit the impact of such supply chain compromises by enforcing strict least-privilege access and continuous verification. Furthermore, mapping these threats to the MITRE ATT&CK framework helps security teams understand the broader context of the adversary’s goals. Defenders looking for further mitigation strategies should consider implementing application allowlisting to prevent the execution of unsigned or unauthorized binaries. While the CPUID breach was brief, the potential for long-term persistence via the STX RAT necessitates a thorough forensic investigation of any impacted workstation.