CPUID Supply Chain Attack Delivers STX RAT via Trojanised CPU-Z and HWMonitor Downloads
| Group | Attribution unconfirmed. Infrastructure overlap identified with a March 2026 fake FileZilla distribution campaign. C2 domain first observed November 2025. Campaign tagged internally as "CityOfSin". |
| Type | Supply Chain Attack / Remote Access Trojan / Backdoor |
| Malware | STX RAT (classified as Backdoor.Win64.Alien by Kaspersky) โ a multi-stage, memory-resident remote access trojan with credential theft, persistent backdoor access, and C2 communication via DNS-over-HTTPS. |
| Score | ๐ 8.5 High. Confirmed supply chain compromise of a trusted official developer website serving over 150 confirmed victims across retail, manufacturing, telecom, and agriculture sectors globally. |
| Observed | April 9-10. |
Overview
CPUID, the French software company behind widely used hardware diagnostic tools CPU-Z and HWMonitor, had its official website compromised on April 9, 2026. Attackers gained access to a backend API and replaced legitimate download links with URLs pointing to malicious installers hosted on attacker-controlled Cloudflare R2 infrastructure. The compromise lasted approximately six hours, from around 15:00 UTC on April 9 to 10:00 UTC on April 10, before CPUID identified and remediated the issue.
During that window, anyone who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from the official cpuid.com website received a trojanised package. The malicious archive bundled legitimate, signed CPUID executables alongside a weaponised CRYPTBASE.dll, which is loaded via Windows DLL search order hijacking when the user runs the software. The attack does not modify the signed original files; instead it plants a malicious DLL in the same directory, exploiting a transitive sideloading path through ADVAPI32.dll.
The delivered payload is STX RAT, a newly documented remote access trojan that operates almost entirely in memory across a seven-stage infection chain. Once deployed, STX RAT establishes a persistent backdoor to attacker-controlled C2 infrastructure at welcome.supp0v3[.]com, uses DNS-over-HTTPS to evade DNS monitoring, and installs four separate persistence mechanisms to survive reboots. The malware also harvests credentials from browser stores and launches Chrome as a child process, likely for cookie access or browser-based C2 staging.
Kaspersky confirmed more than 150 victims from the six-hour exposure window, across Brazil, Russia, and China, with organisations in retail, manufacturing, consulting, telecommunications, and agriculture. Detection rates for the malicious ZIP at the time of discovery were 22 out of 77 antivirus engines, meaning the majority of endpoint security products would not have flagged the download. Any organisation or individual who ran a CPUID product download between April 9 15:00 UTC and April 10 10:00 UTC should treat the affected system as potentially compromised.
Key Details
Delivery Method โ Official software download from cpuid.com redirected to malicious Cloudflare R2-hosted installers after backend API compromise. No phishing required; users downloaded from what appeared to be the legitimate developer website.
Target โ Hardware enthusiasts, IT professionals, system builders, and enterprise IT teams using CPU-Z or HWMonitor for diagnostics. Confirmed victims span Brazil, Russia, and China across retail, manufacturing, consulting, telecommunications, and agriculture sectors. Windows systems only.
Functions
- Executes a seven-stage in-memory infection chain with no disk-resident payload beyond persistence artefacts
- Establishes a persistent remote access backdoor via C2 at welcome.supp0v3[.]com
- Uses DNS-over-HTTPS via Cloudflare (1.1.1.1) to resolve C2 addresses and evade DNS-based monitoring
- Installs four separate persistence mechanisms: MSBuild .proj files, a scheduled task running every 68 minutes for 20 years, COM TypeLib hijacking via IPv6-encoded .NET deserialisation, and a PowerShell profile autorun script
- Harvests browser-stored credentials and cookies by launching Chrome/Chromium as a child process of PowerShell
- Compiles and executes shellcode loaders in memory using csc.exe without writing payloads to disk
- Communicates with C2 using campaign tag "CityOfSin" embedded in callback requests
Obfuscation โ Colon-hex encoded shellcode in the .rdata section of CRYPTBASE.dll; XOR encryption (key rotated as 1+(i%17)) for the BuildCache.dat shellcode stage; IPv6-encoded .NET assembly for the COM hijack chain; business-themed PowerShell variable names and MSBuild task disguised as Microsoft.Build.PackageOptimizer to defeat basic signature detection.
Attack Vectors
Stage 0 โ Supply Chain Delivery: Attackers compromise a backend API at cpuid.com and replace the download JSON configuration pointing to official installers. The main website begins serving links to malicious Cloudflare R2 buckets. A user visiting cpuid.com and clicking the standard download button receives a trojanised ZIP (cpu-z_2.19-en.zip) containing the legitimate signed CPU-Z binary alongside a malicious CRYPTBASE.dll planted in the same directory.
Stage 1 โ DLL Sideloading on Execution: When the user runs the legitimate CPU-Z binary, Windows loads ADVAPI32.dll, which in turn attempts to load CRYPTBASE.dll. Because the malicious CRYPTBASE.dll is in the application directory rather than the System32 path, Windows loads the attacker's version first. This transitive sideload gives the malware execution in the context of a trusted, signed process without triggering most application whitelisting controls.
Stage 2 โ Shellcode Decoding and Reflective PE Load: The malicious CRYPTBASE.dll decodes 349KB of colon-hex encoded shellcode from its .rdata section, then uses position-independent shellcode to reflectively load an encrypted secondary DLL (out.dll) entirely in memory. No additional files are written to disk at this stage.
Stage 3 โ C2 Callback and Payload Delivery: The in-memory loader resolves the C2 domain welcome.supp0v3[.]com using DNS-over-HTTPS via Cloudflare's 1.1.1.1 resolver, bypassing standard enterprise DNS monitoring. A POST request is made to the /d/callback endpoint with the campaign tag CityOfSin. The C2 server delivers the actual backdoor payload; sandbox analysis confirms the C2 callback occurs before any file drops, meaning the core backdoor is never present on disk until received from the server.
Stage 4 and 5 โ PowerShell Loader and In-Memory C# Compilation: The C2-delivered payload spawns a PowerShell process that receives additional code via stdin piping, avoiding command-line argument logging. PowerShell invokes csc.exe to compile a C# shellcode loader in memory, producing a temporary .NET DLL and immediately executing it.
Stage 6 โ Quad-Persistence Installation: Four separate persistence mechanisms are installed: a scheduled task running every 68 minutes with a 20-year duration; a registry Run key pointing to an MSBuild .proj file (disguised as Microsoft.Build.PackageOptimizer); COM TypeLib GUID hijacking that chains ActiveX.sct to Clippy.sct to a Moniker.dll loader via IPv6-encoded .NET deserialisation; and a PowerShell profile autorun.ps1. The use of four independent mechanisms ensures the backdoor survives removal of any individual artefact.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
File Hashes
| File | SHA256 | Detection |
|---|---|---|
cpu-z_2.19-en.zip (trojanised package) | eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46 | 22/77 AV engines |
CRYPTBASE.dll (CPU-Z bundled variant) | 49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524 | 31/77 AV engines |
CRYPTBASE.dll (HWMonitor variant) | 9cdabd70f50dc8c03f0dfb31894d9d5265134a2cf07656ce8ad540c1790fc984 | Kaspersky confirmed |
Domains and URLs (C2 and Distribution)
| Indicator | Type | Notes |
|---|---|---|
supp0v3[.]com | C2 base domain | Campaign infrastructure base |
welcome.supp0v3[.]com | Active C2 | Callback endpoint, behind Cloudflare |
helloworld.supp0v3[.]com | C2 test subdomain | First seen 2025-11-17 |
ai.supp0v3[.]com | Real backend | Resolves to 147.45.178.61, NOT Cloudflare |
pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev | Malware distribution | Primary Cloudflare R2 hosting bucket |
pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2[.]dev | Malware distribution | Secondary R2 bucket |
cahayailmukreatif.web[.]id | Redirect domain | Rogue download redirect site |
transitopalermo[.]com | Redirect domain | Rogue download redirect site |
vatrobran[.]hr | Redirect domain | Rogue download redirect site |
IP Addresses
| Indicator | Type | Notes |
|---|---|---|
147.45.178.61 | C2 backend server | Real origin server behind ai.supp0v3[.]com |
C2 Callback URL
| Indicator | Method | Notes |
|---|---|---|
hxxps://welcome.supp0v3[.]com/d/callback | POST | Primary C2 callback |
hxxps://welcome.supp0v3[.]com/d/callback?utm_tag=snip&utm_source=CityOfSin | POST | Tagged callback with campaign identifier |
Host-Based Artefacts (Persistence Files)
| Path | Purpose |
|---|---|
C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\c_3791.proj | MSBuild C# shellcode loader |
C:\Users\<USER>\AppData\Local\Packages\MSBuild\CommonBuild.proj | MSBuild loader copy |
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\ActiveX.sct | COM hijack launcher |
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\Clippy.sct | IPv6-encoded .NET runner |
C:\Users\<USER>\AppData\Local\Microsoft\Internet Explorer\data.dat | Shellcode payload |
C:\Users\<USER>\AppData\Local\Microsoft\MSBuild\Current\Cache\BuildCache.dat | XOR-encrypted shellcode |
C:\Users\<USER>\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1 | PowerShell profile persistence |
C:\ProgramData\CPUID Software\cpu-z\KPTwo6rj | Staging temp file |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1195.002 | Supply Chain Compromise | CPUID backend API compromised to serve trojanised downloads |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Malicious CRYPTBASE.dll sideloaded via ADVAPI32 transitive load path |
| T1620 | Reflective Code Loading | out.dll loaded reflectively in memory via position-independent shellcode |
| T1059.001 | PowerShell | Stdin-piped PowerShell execution to avoid command-line logging |
| T1127.001 | Signed Binary Proxy Execution: MSBuild | MSBuild .proj files with inline C# shellcode tasks |
| T1218.010 | Signed Binary Proxy Execution: Regsvr32 | ActiveX.sct chains to Clippy.sct via regsvr32 /i |
| T1053.005 | Scheduled Task | Hidden task firing every 68 minutes, set for 20-year duration |
| T1546.015 | COM Hijacking | TypeLib GUID hijack via IPv6-encoded .NET deserialisation chain |
| T1071.004 | Application Layer Protocol: DNS | DNS-over-HTTPS via Cloudflare 1.1.1.1 to evade DNS monitoring |
| T1027 | Obfuscated Files or Information | Colon-hex encoding, XOR rotation, IPv6-encoded .NET assembly |
| T1497 | Virtualization/Sandbox Evasion | Debug environment detection, BIOS checks, long sleep timers |
Mitigation and Prevention
Verify and Remove Affected CPUID Downloads
Any CPUID product (CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor) downloaded between April 9 15:00 UTC and April 10 10:00 UTC should be considered compromised. Delete the download package and any extracted files immediately. Run a targeted scan looking for CRYPTBASE.dll in the CPUID application directory rather than System32, which is an immediate indicator of the malicious variant.
Hunt for Persistence Artefacts Across the Fleet
The malware installs four separate persistence mechanisms. Query endpoint detection and response tooling for the known file paths including c_3791.proj, CommonBuild.proj, ActiveX.sct, Clippy.sct, and autorun.ps1 in the locations listed in the IOC section above. Also search for a registry Run key value pointing to MSBuild.exe with a .proj file argument, and for a scheduled task set with a multi-decade run duration.
Block C2 Infrastructure at the Perimeter
Add supp0v3[.]com and all subdomains to DNS blocklists immediately. Block outbound access to 147.45.178.61. The malware uses DNS-over-HTTPS to resolve C2 addresses, so standard DNS blocking alone is insufficient. Either enforce DNS-over-HTTPS through a controlled resolver that applies your blocklists (such as a filtered DoH proxy), or block outbound DNS-over-HTTPS to public resolvers like 1.1.1.1 and 8.8.8.8 in favour of a monitored internal resolver.
Alert on MSBuild and Regsvr32 Spawning from Unusual Parents
MSBuild.exe and regsvr32.exe being spawned by PowerShell, or regsvr32.exe loading .sct files, are high-confidence indicators of this infection chain. Create detection rules to alert on these process relationships in your SIEM or EDR. The combination of csc.exe compiling C# in a user temp directory followed by immediate execution is also a reliable hunting signal.
Apply DLL Search Order Protections
This attack exploits Windows DLL search order to sideload CRYPTBASE.dll from the application directory rather than System32. Configure AppLocker or WDAC policies to prevent unsigned DLLs from loading in non-system directories. Enforcing DLL Safe Search Mode across managed endpoints raises the bar for this class of attack significantly.
Validate Download Integrity for All Third-Party Tools
Even downloads from official developer websites can be compromised via API or CDN manipulation, as this incident demonstrates. Enforce a policy of verifying SHA256 hashes for all third-party tool downloads before execution, particularly for hardware diagnostics, system utilities, and developer tooling that is commonly downloaded outside of formal software management processes.
Restrict DNS-over-HTTPS to Controlled Resolvers
The malware bypasses traditional DNS monitoring by using DNS-over-HTTPS to Cloudflare's 1.1.1.1 resolver. Organisations that have not already addressed this gap should block direct outbound DoH traffic to public resolvers and enforce resolution through a monitored internal or managed DoH provider. Microsoft Intune, Group Policy, and most enterprise DNS platforms support DoH policy enforcement.
Risk Assessment
This attack is an illustration of why supply chain integrity is among the hardest problems in enterprise security. CPUID's tools are downloaded by millions of users, primarily IT professionals and hardware engineers who are more technically sophisticated than average, more likely to disable endpoint controls, and more likely to run diagnostic utilities with elevated permissions. Targeting this audience via a trusted official source is highly effective precisely because it bypasses the instinctive scepticism that catches most phishing attempts.
The six-hour exposure window is short but the impact is not trivial. Kaspersky confirmed more than 150 victims, and detection rates at the time of infection were low enough that most of those systems would have received no alerts. The quad-persistence design means that a full remediation requires more than simply deleting the malicious DLL; every one of the four persistence paths needs to be found and removed, and the C2 connection established during the six-hour window may have already been used to deploy additional tooling that is not yet publicly documented.
The infrastructure linkage to a March 2026 fake FileZilla campaign indicates this is an organised and ongoing threat actor, not a one-off opportunistic attack. The same C2 domain infrastructure was in preparation since at least November 2025 based on subdomain first-seen dates, suggesting the CPUID compromise was a planned operation rather than an accidental discovery. This actor will likely target other popular developer tools through the same API compromise methodology.
Conclusion
If your organisation uses CPU-Z, HWMonitor, or any CPUID product, the immediate priority is confirming whether any download occurred in the six-hour window on April 9-10, 2026, and treating any machine that ran a download from that period as compromised until proven otherwise. Remediation requires hunting all four persistence mechanisms, not just deleting the trojanised installer.
This campaign reinforces that download integrity verification and DNS-over-HTTPS controls are no longer optional hygiene items. An attacker who can manipulate the download links on a legitimate developer website for six hours, with an AV detection rate under 30%, and four persistence mechanisms that survive most standard incident response playbooks, represents exactly the kind of threat that checkmark compliance programmes are not designed to catch.
Sources
- BleepingComputer โ CPUID hacked to deliver malware via CPU-Z and HWMonitor downloads (April 2026)
- The Hacker News โ CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads (April 2026)
- GitHub Gist (N3mes1s) โ CPU-Z 2.19 Supply Chain Attack Analysis: Trojanized DLL Sideloading with Zig-compiled CRYPTBASE.dll (April 2026)
- CYDERES โ Monitoring the Monitor: How CPUID's HWMonitor Supply Chain Was Hijacked to Deploy STX RAT (April 2026)
- Tom's Hardware โ HWMonitor and CPU-Z developer CPUID breached by unknown attackers (April 2026)
- Fyself News โ CPUID Compromise Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads (April 2026)
- BeyondMachines โ CPUID Website Compromised to Distribute STX RAT Malware (April 2026)