Attackers compromised the official CPUID website for approximately 19 hours between April 9 and April 10, replacing download links for popular hardware monitoring tools like CPU-Z and HWMonitor with malicious versions that deploy STX RAT. The breach affected a secondary API feature, causing the main site to randomly display rogue links while leaving signed original files untouched. Trojanized software was distributed as ZIP archives and standalone installers containing legitimate signed executables alongside a malicious DLL named CRYPTBASE.dll that leverages DLL sideloading.
The malicious DLL performs anti-sandbox checks before contacting external servers to deliver STX RAT, a remote access trojan with HVNC capabilities and extensive information-stealing functionality. The malware exposes a broad command set for remote control, follow-on payload execution, reverse proxy tunneling, and post-exploitation actions. The command-and-control server addresses and connection configurations were reused from a prior campaign that distributed trojanized FileZilla installers documented by Malwarebytes.
Kaspersky identified over 150 victims primarily in Brazil, Russia, and China, including individuals and organizations across retail, manufacturing, consulting, telecommunications, and agriculture sectors. The attackers demonstrated low operational security by reusing the same infection chain and domain names from previous attacks, enabling rapid detection of the watering hole compromise. CPUID confirmed the incident and noted that the attack did not affect its signed original files. The compromised website has since been restored to normal operation.
Read more...