CPU-Z and HWMonitor Compromised: Another Supply Chain Attack Delivers STX RAT Through Trusted Software
Introduction
On April 9-10, 2026, the official website of CPUID — the company behind the hugely popular hardware monitoring tools CPU-Z and HWMonitor — was compromised by unknown threat actors. For approximately six hours, users who downloaded CPU-Z or HWMonitor from the official cpuid.com website received trojanized installers that deployed STX RAT, a sophisticated remote access trojan that operates almost entirely in memory.
This is the second major supply chain attack in two weeks, following the Axios npm compromise on March 31. The pattern is clear: attackers are increasingly targeting the distribution infrastructure of trusted software rather than attacking end users directly.
What Happened
Timeline (UTC)
- April 9, ~15:00 UTC: Threat actors compromised a secondary API on CPUID's website
- April 9, 15:00 – April 10, ~10:00 UTC: The main website randomly displayed malicious download links instead of legitimate ones
- April 10, ~10:00 UTC: CPUID identified and remediated the compromise
The signed original files were not compromised — the attackers modified the download links, not the software itself. Users who downloaded during the 6-hour window received trojanized installers from attacker-controlled infrastructure.
The Malware: STX RAT
STX RAT is a multi-stage remote access trojan described by malware analysts at vx-underground as "deeply trojanized and operating almost entirely in memory." The malware:
- Executes across five stages using reflective PE loading
- Uses XOR decryption and layered bitwise transformations to evade detection
- Writes no intermediate payloads to disk — entirely memory-resident
- Provides the attacker with: in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, desktop interaction, and full remote control
- Reuses C2 infrastructure from a prior campaign involving trojanized FileZilla installers
Scope of Impact
Kaspersky identified more than 150 confirmed victims, primarily individuals but also organizations in retail, manufacturing, consulting, telecommunications, and agriculture. Most infections were in Brazil, Russia, and China — but any user worldwide who downloaded from cpuid.com during the window is potentially affected.
How to Check If You're Affected
Did You Download CPU-Z or HWMonitor Between April 9-10?
Check your browser download history and any software installation logs:
# Windows — check recent downloads folder
dir %USERPROFILE%\Downloads\*cpu-z* /od
dir %USERPROFILE%\Downloads\*hwmonitor* /od
# Check if CPU-Z or HWMonitor was installed recently
Get-WmiObject -Class Win32_Product | Where-Object {
$_.Name -like "*CPU-Z*" -or $_.Name -like "*HWMonitor*"
} | Select-Object Name, InstallDate, VersionCheck for STX RAT Indicators
Since the malware operates in memory, traditional file-based scanning may miss it. Look for:
- Unusual outbound network connections — check for connections to unknown IPs on non-standard ports
- Reflective DLL injection artifacts — EDR platforms (SentinelOne, CrowdStrike, Microsoft Defender for Endpoint) should flag these
- Unexpected PowerShell or shellcode execution — review PowerShell script block logging for suspicious activity around April 9-10
# Check PowerShell logs for suspicious execution around the compromise window
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104; StartTime='2026-04-09'; EndTime='2026-04-11'} -MaxEvents 50 |
Where-Object { $_.Message -like "*Invoke-Expression*" -or $_.Message -like "*IEX*" -or $_.Message -like "*downloadstring*" } |
Select-Object TimeCreated, Message | Format-ListHow to Remediate
If you downloaded CPU-Z or HWMonitor during the compromise window:
- Isolate the affected system from the network immediately
- Run a full EDR scan — ensure behavioral detection is enabled, not just signature scanning
- Check for persistence mechanisms — scheduled tasks, registry run keys, WMI subscriptions created around April 9-10
- Rotate credentials — any password, token, or key accessible from the compromised machine
- Consider reimaging — given STX RAT's memory-resident, multi-stage design, reimaging from known-good media is the safest remediation
- Download clean copies of CPU-Z/HWMonitor only from cpuid.com (the compromise has been resolved) and verify file hashes
The Supply Chain Pattern
Two major supply chain attacks in two weeks — Axios (March 31) and CPUID (April 9) — targeting completely different software ecosystems (npm packages vs desktop utilities) with the same strategy: compromise the distribution infrastructure and let trust do the rest.
For Houston businesses, the lesson is consistent: application allowlisting is the most effective control against supply chain attacks. Tools like ThreatLocker block any executable that isn't on your approved list — even if it was downloaded from a "trusted" source. The trojanized CPU-Z installer wouldn't execute on a ThreatLocker-protected endpoint because the modified binary doesn't match the approved hash.
Need help checking your systems? LayerLogix can scan your environment for STX RAT indicators. Call 713-571-2390.
Related: Axios NPM Supply Chain Attack | Zero Trust with ThreatLocker | Threat Remediation
Need Help With Cybersecurity?
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Related Articles
Need Expert IT Support?
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.