CPUID Website Compromised to Serve STX RAT
Unknown threat actors successfully compromised cpuid.com, the official website of CPUID — a company best known for its popular hardware monitoring utilities CPU-Z and HWMonitor — for a period of less than 24 hours. During the window of compromise, visitors downloading software from the site received trojanized executables bundled with a remote access trojan dubbed STX RAT.
The incident represents another in a growing series of software supply chain attacks targeting trusted developer and system administrator tooling to maximize the reach and credibility of malware distribution.
About CPUID and Its Tools
CPUID develops widely-used system information and hardware monitoring utilities trusted by PC enthusiasts, overclockers, IT professionals, and system builders worldwide:
| Tool | Purpose | Estimated Users |
|---|---|---|
| CPU-Z | CPU, motherboard, memory, and GPU information | Tens of millions |
| HWMonitor | Hardware sensor monitoring (temps, voltages, fan speeds) | Several million |
| HWMonitor Pro | Extended monitoring with remote access features | Enterprise/Pro users |
| PerfMonitor | CPU performance monitoring | Enthusiast users |
The high trust associated with these utilities — commonly recommended by tech forums and used in PC build validation — makes them an attractive vehicle for malware distribution.
The Compromise
Timeline
- Discovery: Security researchers identified anomalous downloads from cpuid.com
- Window: The malicious files were served for less than 24 hours before the compromise was detected and remediated
- Recovery: CPUID restored legitimate downloads following the incident
Malicious Payload: STX RAT
The trojanized executables delivered STX RAT, a remote access trojan with capabilities including:
- Remote shell access — full command execution on compromised systems
- File system access — read, write, and exfiltrate files
- Keylogging — capture credentials and sensitive input
- Screen capture — monitor user activity
- Persistence — survives reboots via registry modifications or scheduled tasks
- C2 communication — encrypted communications to attacker-controlled infrastructure
The malicious executables were designed to appear functionally identical to the legitimate tools, executing the expected hardware monitoring functions while silently installing the RAT in the background.
Who Is at Risk
Users who downloaded any CPUID software directly from cpuid.com during the compromise window should assume their systems may be compromised. High-risk profiles include:
- IT professionals and sysadmins who regularly use hardware diagnostics
- PC overclockers and enthusiasts who routinely run CPU-Z during hardware testing
- Enterprise IT staff who may have downloaded HWMonitor Pro for fleet management
- Users who auto-update or downloaded fresh copies during the affected period
Detection and Response
Indicators of Compromise
Security vendors have begun releasing indicators of compromise (IoCs) for STX RAT. Check your endpoint detection and response (EDR) tools for:
- Suspicious child processes spawned by CPUID utilities
- Network connections from hardware monitoring tools to unexpected external IPs
- Persistence entries (registry run keys, scheduled tasks) created by CPUID executables
- Presence of STX RAT signatures in endpoint security scans
Recommended Actions
If you downloaded CPUID software during the affected period:
- Isolate the affected system from the network immediately
- Run a full malware scan with an updated AV/EDR solution
- Check for persistence mechanisms — review scheduled tasks, startup entries, and registry run keys
- Audit network connections for outbound traffic from the CPUID tool executables
- Rotate all credentials accessible from the affected machine — passwords, SSH keys, API tokens
- Re-download software only from CPUID's official site and verify file hashes against published checksums
Supply Chain Attack Context
This incident follows a well-established attacker playbook: compromise a trusted software distribution site to weaponize legitimate tool downloads. Notable precedents include:
- The SolarWinds supply chain attack (2020) via build system compromise
- CCleaner poisoning (2017) that delivered a backdoor to millions of users
- The 3CX Desktop App trojanization (2023) by the Lazarus Group
- Recent CPUID-adjacent attacks targeting developer tooling and hardware utilities
The brief 24-hour window suggests either rapid detection by CPUID or a targeted, time-limited operation designed to minimize exposure while still achieving meaningful distribution.
Verification
To verify the integrity of CPUID downloads:
# Compare the SHA-256 hash of your downloaded file against CPUID's official checksums
certutil -hashfile cpuz.exe SHA256 # Windows
sha256sum cpuz.exe # Linux/macOSCPUID publishes file hashes on their website for verification. Always validate checksums before running downloaded executables, particularly after any reported compromise of a software vendor.