CPUID Website Compromised: Malicious Versions of Popular PC Diagnostic Utilities
The website of CPUID, a manufacturer of diagnostic tools, was targeted in an attack where download links for CPU-Z and HWMonitor led to infected files. This resulted in the spread of a Remote Access Trojan (RAT) among users, including IT professionals.
Attack Mechanism and Technical Details
Attackers replaced links on the official resource, redirecting visitors to archives containing malicious software. Infected packages contained a legitimate utility executable file and a malicious CRYPTBASE.dll library. Upon launch, the system loaded this library, triggering a chain that ultimately installed the STX RAT trojan. This trojan operates in memory, providing remote control and data theft.
The attack affected versions CPU-Z 2.19, HWMonitor 1.63 and 1.57 Pro, PerfMonitor 2.04. The 64-bit build of HWMonitor proved particularly vulnerable. Hacker activity is estimated between April 3 and 10, peaking from 15:00 UTC on April 9 to 10:00 UTC on April 10.
Targets and Consequences for Users
CPUID utilities are widely used for hardware monitoring, ranging from enthusiasts to corporate administrators. Such users often work with confidential data — accounts, access keys, and VPNs. The trojan could have captured sessions, cookies, and passwords, opening paths to internal company networks.
According to experts, over 150 individuals were affected, mostly private citizens. However, organizations from retail, manufacturing, consulting, telecommunications, and agriculture sectors also fell victim. This highlights risks for businesses where diagnostic tools are ubiquitous.
- Key Risks for Victims:
- Remote access to device.
- Theft of credentials and session tokens.
- Access to corporate resources via VPN.
- Potential spread within local networks.
Connection to Previous Incidents
This attack mirrors the tactics of March's campaign involving fake FileZilla: DLL substitution, similar infrastructure, and command-and-control domains. Experts trace elements of the chain back to July 2025, indicating an organized group with refined methods. This approach minimizes detection by masquerading as official updates.
Context and Industry Significance
Compromise of software distribution channels is a growing threat in cybersecurity. Success factors include brand trust and weak download integrity checks. Consequences involve the need to verify file hashes and transition to signed updates. For the industry, this signals a need to strengthen vendor verification.
Overall context: such supply chain attacks increased by 30% over the year, according to industry reports. Users are advised to scan systems and update antivirus software.
Key Takeaways
- Hackers replaced links on cpuid.com, spreading STX RAT via DLL.
- Affected versions CPU-Z 2.19, HWMonitor 1.63/Pro 1.57; over 150 victims.
- Link to attacks since July 2025, including March FileZilla incident.
- Site cleaned by April 10, but risks for corporate users remain.
- Recommendation: Verify hashes and use sandbox for testing.
— Editorial Team
No comments yet.