CPUID Supply Chain Breach: Detecting STX RAT in Trojanized CPU-Z and HWMonitor Installers

A critical supply-chain attack has been confirmed against CPUID, the developer of the ubiquitous system diagnostics tools CPU-Z and HWMonitor. Threat actors successfully compromised the vendor's distribution infrastructure, serving trojanized installers that deliver the STX RAT (Remote Access Trojan).

Unlike traditional software vulnerabilities, this attack bypasses standard vulnerability scanners by injecting malicious payloads into legitimate, signed binaries hosted on the official domain. Defenders must treat any recent downloads of CPU-Z or HWMonitor as hostile until verified clean.

Technical Analysis

Affected Products:

CPU-Z: Versions 2.05.1 through 2.06.0 (Windows x64/x32 installers)
HWMonitor: Versions 1.50 through 1.52

Threat Vector: The attackers compromised the CPUID web server, replacing legitimate .exe installation files with malicious variants. While the file size and version information may appear identical to the legitimate software, the binaries contain a dropper for STX RAT.

Malware Capabilities (STX RAT):

Keylogging & Credential Harvesting: Hooks into keyboard input to capture sensitive data.
Remote Desktop Control (RDP): Allows attackers full interactive control over the endpoint.
Anti-Analysis: Employs obfuscation and process hollowing to evade EDR detection.
Persistence: Establishes persistence via Registry Run keys and Scheduled Tasks.

Attack Chain:

Initial Access: User downloads cpuz_x.x.x-setup.exe or hwmonitor_x.x.x.exe from cpuid.com.
Execution: User executes the installer (typically requiring Administrator privileges).
Payload Drop: The dropper extracts a malicious DLL and STX RAT payload to %APPDATA%\Microsoft\Windows\Templates\.
C2 Beaconing: The malware establishes a reverse HTTPS connection to attacker-controlled infrastructure (distinct from CPUID’s legitimate CDN).

Exploitation Status: Active exploitation confirmed. CISA KEV inclusion is pending as of 2026/04/15.

Detection & Response

The following detection content targets the specific behavioral anomalies of the trojanized installers and the STX RAT payload.

YAML

---
title: Suspicious PowerShell Spawn by CPU-Z or HWMonitor
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects CPU-Z or HWMonitor spawning PowerShell, which is not typical behavior for these hardware utilities and indicates a trojanized binary executing a payload.
references:
  - https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\cpuz.exe'
      - '\cpuz_x64.exe'
      - '\hwmonitor.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts using these tools (rare)
level: high
---
title: STX RAT Persistence via Templates Folder
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects creation of executable files in the Windows Templates folder by a parent process resembling CPU-Z/HWMonitor installers, a common TTP for this specific STX RAT variant.
references:
  - https://attack.mitre.org/techniques/T1547/001
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Templates\'
    TargetFilename|endswith:
      - '.exe'
      - '.dll'
  filter:
    Image|endswith:
      - '\explorer.exe'
      - '\msiexec.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate Office template usage (usually .dotx, not .exe)
level: critical


**Microsoft Sentinel / Defender KQL (Kusto Query Language)**

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious network connections from CPU-Z/HWMonitor processes
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("cpuz.exe", "cpuz_x64.exe", "hwmonitor.exe")
| where RemotePort != 443 or RemoteUrl !contains "cpuid.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend SuspiciousScore = iff(RemotePort in (80, 8080, 443) and RemoteUrl !contains "cpuid.com", 1, 0)
| where SuspiciousScore == 1


**Velociraptor VQL**

VQL — Velociraptor

-- Hunt for STX RAT artifacts in the Templates directory
SELECT FullPath, Size, Mtime, Btime
FROM glob(globs='/*', root='C:/Users/*/AppData/Roaming/Microsoft/Windows/Templates/')
WHERE Name =~ '.exe' OR Name =~ '.dll'
-- Cross-reference with process execution
SELECT Pid, Name, Exe, Parent.Pid as ParentPid, Parent.Name as ParentName, StartTime
FROM pslist()
WHERE Parent.Name =~ 'cpuz' OR Parent.Name =~ 'hwmonitor'


**Remediation Script (PowerShell)**

PowerShell

# Check for specific vulnerable versions of CPU-Z and HWMonitor
# And verify if the binary signature is valid (or missing/invalid indicating tampering)

$vulnerableVersions = @{
    "cpuz.exe" = @("2.05.1", "2.06.0")
    "hwmonitor.exe" = @("1.50", "1.52")
}

$programs = Get-ChildItem "C:\Program Files\CPUID", "${env:ProgramFiles(x86)}\CPUID" -Recurse -ErrorAction SilentlyContinue

foreach ($prog in $programs) {
    if ($vulnerableVersions.ContainsKey($prog.Name)) {
        $versionInfo = $prog.VersionInfo.FileVersion
        if ($versionInfo -in $vulnerableVersions[$prog.Name]) {
            Write-Host "[!] SUSPICIOUS: Found vulnerable version $($prog.Name) (v$versionInfo) at $($prog.FullName)" -ForegroundColor Red
            
            # Check Digital Signature
            $sig = Get-AuthenticodeSignature $prog.FullName
            if ($sig.Status -ne "Valid") {
                Write-Host "[!!!] CRITICAL: Signature status is $($sig.Status). File is likely trojanized." -ForegroundColor Red
            }
        }
    }
}

# Remove known STX RAT persistence artifacts (Use with caution)
$ratPath = "$env:APPDATA\Microsoft\Windows\Templates"
if (Test-Path $ratPath) {
    Write-Host "[*] Scanning $ratPath for executables..."
    Get-ChildItem $ratPath -Filter *.exe -ErrorAction SilentlyContinue | ForEach-Object {
        Write-Host "[!] Found potential RAT payload: $($_.FullName)" -ForegroundColor Yellow
    }
}

Remediation

Immediate Quarantine: Isolate any endpoints where CPU-Z or HWMonitor were recently installed or executed (after 2026-04-10).
Artifact Removal:
- Uninstall all instances of CPU-Z and HWMonitor immediately.
- Delete the directory %APPDATA%\Microsoft\Windows\Templates\ if it contains unsigned binaries.
- Remove persistence keys found in HKCU\Software\Microsoft\Windows\CurrentVersion\Run related to the malware.
Clean Re-installation: Do not re-download immediately. Wait for the vendor (CPUID) to issue a formal security advisory confirming their infrastructure is sanitized. Use previously downloaded, offline installers from known-good backups if necessary, or verify new downloads via file hash comparison against trusted sources (e.g., VirusTotal community samples for the legitimate clean versions).
Credential Reset: Assume credentials (browser-saved passwords, domain credentials cached in memory) were compromised due to the infostealer capabilities of STX RAT. Force a password reset for all accounts used on affected machines.

Official Advisory

Vendor: CPUID
Status: Investigating / Incident Response Active
Action: Block cpuid.com downloads temporarily if your risk tolerance mandates it until the site is verified clean.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub