CPUID Watering Hole Attack: STX RAT Detection and Remediation Guide

A sophisticated watering hole attack has compromised the infrastructure of CPUID, the developer of the widely popular system diagnostics tools CPU-Z and HWMonitor. Threat actors successfully breached the website and replaced legitimate download links with malicious variants for several hours. Users downloading these tools during this window did not receive the expected performance monitor; instead, they executed installers for the STX RAT (Remote Access Trojan).

This incident is a critical supply-chain attack. Unlike typical phishing, the victims are technical users—gamers, sysadmins, and hardware enthusiasts—who trust the source implicitly. Once executed, STX RAT provides attackers with full remote access capabilities, including keystroke logging, file exfiltration, and lateral movement. Defenders must treat this with the urgency of a nation-state supply-chain compromise.

Technical Analysis

• Affected Products: CPU-Z and HWMonitor (Windows installers hosted on cpuid.com).
• Threat Vector: Watering hole attack. The web server was compromised to serve malicious files in place of signed binaries.
• Payload: STX RAT. This malware enables comprehensive remote control of the infected host.
• CVE Identifiers: N/A (This is a web infrastructure compromise serving malicious binaries, not a software vulnerability in CPU-Z itself).
• Exploitation Status: Confirmed active exploitation. The attack window was limited to several hours, but the impact is global.
• Attack Chain:
  1. User visits cpuid.com to download CPU-Z or HWMonitor.
  2. User executes the downloaded installer (e.g., cpuz_setup.exe or hwmonitor.exe).
  3. The malicious installer drops and executes STX RAT instead of the legitimate application.
  4. STX RAT establishes a C2 channel, granting remote access.

Detection & Response

Detecting this requires looking for anomalies in the execution of these specific tools. Legitimate CPU-Z and HWMonitor installers do not spawn shell processes like cmd.exe or powershell.exe immediately upon execution. The trojanized versions, however, often initiate the payload via these interpreters or drop unsigned binaries in non-standard locations.

Sigma Rules

The following Sigma rules identify suspicious behavior associated with the trojanized installers and the STX RAT payload activity.

---
title: Suspicious Child Process of CPU-Z or HWMonitor
id: 88c3f1d2-a4b5-4c9d-8f2e-1a3b4c5d6e7f
status: experimental
description: Detects CPU-Z or HWMonitor spawning suspicious shells or scripts, indicative of a trojanized delivery mechanism.
references:
  - https://securityaffairs.com/190702/malware/cpuid-watering-hole-attack-spreads-stx-rat-malware.html
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.initial_access
  - attack.t1192
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'cpu-z.exe'
      - 'cpuz_x64.exe'
      - 'hwmonitor.exe'
  selection_suspicious_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: all of selection_*
falsepositives:
  - Unlikely; legitimate installers do not spawn these shells.
level: critical
---
title: STX RAT Suspicious Network Connection Pattern
id: 99d4e2e3-b5c6-5d0e-9g3f-2b4c5d6e7f8g
status: experimental
description: Detects potential STX RAT activity based on process anomalies and network connections spawned from user directories.
references:
  - Internal Threat Intel
date: 2025/04/08
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - '\AppData\'
      - '\Downloads\'
    Initiated: 'true'
  filter_legit:
    Image|contains:
      - '\Google\Chrome\'
      - '\Microsoft\Edge\'
      - '\Mozilla\Firefox\'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate software running from user directories (rare for system tools).
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for processes launched by the compromised installers and looks for unsigned executables running from common download locations.

// Hunt for suspicious behavior related to CPUID compromise
let SuspiciousParents = dynamic(['cpu-z.exe', 'cpuz_x64.exe', 'hwmonitor.exe']);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ (SuspiciousParents)
| where FileName in~ ('powershell.exe', 'cmd.exe', 'regsvr32.exe', 'rundll32.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| extend Timestamp = Timestamp
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for the specific executables on disk, checks their signatures, and identifies if they are running from non-standard paths.

-- Hunt for trojanized CPUID tools
SELECT FullPath, Size, Mtime, 
       AuthInfo.SignerSubject as Signer, 
       AuthInfo.SignatureStatus as SigStatus
FROM glob(globs="\\Users\*\Downloads\*cpuz*.exe", 
           globs="\\Users\*\Downloads\*hwmonitor*.exe")
WHERE SigStatus != "Valid" OR Signer != "CPUID, Inc."

Remediation Script

Use this PowerShell script to scan endpoints for the affected files and verify their integrity. This is critical for identifying infections that may have bypassed initial detection.

# Check for suspicious CPUID executables in user profiles
$AffectedFiles = @("cpuz_setup.exe", "cpuz_x64.exe", "hwmonitor.exe", "HWMonitor64.exe")
$UserProfiles = Get-ChildItem "C:\Users\" -Directory

Foreach ($Profile in $UserProfiles) {
    $DownloadsPath = Join-Path $Profile.FullName "Downloads"
    If (Test-Path $DownloadsPath) {
        Write-Host "Scanning $($Profile.FullName)..."
        Get-ChildItem -Path $DownloadsPath -Filter *.exe -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $AffectedFiles -contains $_.Name } | 
        ForEach-Object {
            $Sig = Get-AuthenticodeSignature $_.FullName
            If ($Sig.Status -ne "Valid" -or $Sig.SignerCertificate.Subject -notlike "*CPUID, Inc.*") {
                Write-Warning "[!] SUSPICIOUS FILE FOUND: $($_.FullName)"
                Write-Warning "    Signer Status: $($Sig.Status)"
                Write-Warning "    Signer Subject: $($Sig.SignerCertificate.Subject)"
                # Optional: Quarantine the file
                # Remove-Item $_.FullName -Force
            }
        }
    }
}

Remediation

1. Immediate Containment: If you downloaded CPU-Z or HWMonitor between April 4, 2025, and April 5, 2025 (referencing the specific incident window reported), assume the host is compromised. Isolate affected machines from the network immediately.

2. Verification of Binaries: Legitimate CPUID applications are digitally signed by "CPUID, Inc." Use the PowerShell script above or manually check file properties:

• Right-click the file > Properties > Digital Signatures.
• Ensure the certificate states "CPUID, Inc." and is valid.

3. Removal and Re-installation:

• Delete the downloaded installers immediately.
• If executed, perform a full scan with an updated EDR solution capable of detecting STX RAT variants.
• Download fresh, legitimate copies from the restored CPUID website after verifying the site's SSL certificate status.

4. Credential Reset: STX RAT provides full remote access, including credential theft. Assume all credentials saved in browsers or cached on the infected host are compromised. Force a password reset for all accounts accessed from the infected machine.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub