**CPUID**, the company behind popular hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, confirmed that their website (cpuid[.]com) was compromised for less than 24 hours. During this period, threat actors replaced legitimate software installers with malicious executables designed to deploy the STX RAT. ### Timeline of the Attack The incident occurred between approximately April 9, 15:00 UTC, and April 10, 10:00 UTC. Download URLs for CPU-Z and HWMonitor installers were specifically targeted, redirecting users to malicious websites. ### CPUID's Response In a statement shared on X, **CPUID** acknowledged the breach, attributing it to a compromise of a "secondary feature (basically a side API)" that led to the main site displaying malicious links randomly. The company emphasized that the signed original files of their software remained unaffected. ### Rogue Websites Identified According to **Kaspersky**, the following websites were used to distribute the trojanized software: * cahayailmukreatif.web[.]id * pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev * transitopalermo[.]com * vatrobran[.]hr The malicious software was distributed as both ZIP archives and standalone installers. These files contained a legitimate, signed executable alongside a malicious DLL file named 'CRYPTBASE.dll'. This DLL leverages the DLL side-loading technique to execute malicious code. ### STX RAT Deployment The malicious DLL initiates communication with an external server and downloads additional payloads after performing anti-sandbox checks to evade detection. The ultimate goal is to deploy the STX RAT, known for its HVNC (Hidden VNC) capabilities and extensive information-stealing features. According to **eSentire**'s analysis, STX RAT offers a broad command set for remote control, post-exploitation activities, and follow-on payload execution, including in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, and desktop interaction. ### Connection to Previous Campaigns The command-and-control (C2) server address and connection configuration used in this attack were previously observed in a campaign involving trojanized **FileZilla** installers hosted on fake websites. This earlier activity, documented by **Malwarebytes**, also involved the deployment of the STX RAT. ### Impact and Victimology **Kaspersky** has identified over 150 victims, primarily individuals. However, organizations in sectors like retail, manufacturing, consulting, telecommunications, and agriculture have also been affected. The majority of infections are located in Brazil, Russia, and China. ### Attribution and Security Posture **Kaspersky** highlighted that the attackers' reuse of the same infection chain and C2 domain names from the previous **FileZilla** campaign allowed for quicker detection of the watering hole attack. They assessed the threat actor's overall malware development, deployment, and operational security capabilities as "quite low."