Trojanized CPU-Z and HWMonitor Distributed via CPUID Site Hack

In a significant Supply Chain Attack, the official website for CPUID, the developers behind the widely used system diagnostic utilities CPU-Z and HWMonitor, was recently compromised. According to SecurityWeek, a Russian-speaking threat actor successfully hijacked the site’s download links, replacing legitimate software installers with trojanized versions containing a recently emerged malware variant known as STX RAT.

Technical Analysis of the CPUID Website Supply Chain Compromise

The attack targeted the distribution mechanism of CPU-Z and HWMonitor, tools that are ubiquitous in both consumer and enterprise environments for hardware monitoring. Because these utilities require administrative permissions to interact directly with hardware components, they are ideal vehicles for threat actors seeking Privilege Escalation or deep system access. By subverting the official download site, the attackers bypassed traditional security perimeters that often trust downloads from reputable domains.

The malicious binaries were designed to look and function exactly like the legitimate software, minimizing the chance of immediate user suspicion. Once executed, the trojanized installer deploys STX RAT, a Remote Access Trojan (RAT) that provides the attacker with comprehensive control over the infected machine. The malware includes C2 communication capabilities, allowing the actor to exfiltrate sensitive data, manipulate files, and execute arbitrary commands.

STX RAT Capabilities and TTPs

STX RAT is a relatively new threat in the landscape, but its TTP profile aligns with sophisticated Russian-speaking cybercrime operations. Key features identified include:

• Remote Command Execution: The ability to execute shell commands with the same privileges as the running utility.
• Data Exfiltration: Automated harvesting of browser credentials, system information, and local files.
• Persistence Mechanisms: The malware likely utilizes registry modifications or scheduled tasks to remain active across system reboots.
• Evasion Techniques: The initial delivery via a trusted site helps the malware evade some EDR solutions that rely on domain reputation as a primary indicator of trust.

How to Detect STX RAT Malware within Corporate Environments

Security teams should focus on identifying abnormal behavior from system diagnostic binaries. Detecting STX RAT requires a combination of file integrity checking and behavioral analysis. Professionals should search for IoC markers such as unsigned binaries masquerading as CPUID products or unexpected network traffic originating from cpuz.exe or hwmonitor.exe processes. Specifically, any network connection established by these tools to unknown or non-CPUID domains should be treated as a high-confidence indicator of compromise.

Map these activities to the MITRE ATT&CK framework—specifically focusing on T1195.002 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools) and T1071.001 (Application Layer Protocol: Web Protocols) for the C2 traffic. Using a SIEM to correlate process execution with external network connections is a reliable method for how to detect STX RAT malware before it progresses to broad data exfiltration.

Mitigating Trojanized Diagnostic Tools and Strengthening Defense

Organizations must move toward a model where diagnostic tools are strictly controlled. Mitigating trojanized diagnostic tools involves several layers of defense:

1. Digital Signature Verification: Ensure that all binaries from CPUID are signed by a valid certificate. Any installer failing signature validation must be quarantined immediately.
2. Application Whitelisting: Restrict the use of hardware monitoring tools to authorized personnel only and use hashes to allow only known-good versions.
3. Network Segmentation: Prevent administrative tools from communicating with the internet unless explicitly required for updates, which should be proxied and inspected.
4. Endpoint Monitoring: Configure monitoring tools to alert on any file creation or registry modification performed by CPU-Z or HWMonitor installers.

Given the trust users place in official websites, this incident highlights the necessity of verifying the integrity of software even when sourced from the original vendor.