Intel: STX Rat Supply Chain Attack & Global Credential Harvesting Wave — April 2026

Excerpt

Active STX Rat campaign via trojanized HWMonitor/CPUID. Urgent credential theft & RDP risk. Review installs immediately.

Threat Summary

Recent Telegram intelligence signals a coordinated surge in credential theft operations utilizing diverse supply chain and infrastructure vectors. The most critical active threat is a software supply chain compromise targeting CPUID/HWMonitor. The legitimate download site cpuid.com was observed serving trojanized installers for HWMonitor 64-bit around April 10, 2026, delivering the new "STX Rat" malware family.

STX Rat is not merely an infostealer; it establishes Remote Desktop Protocol (RDP) capabilities for the threat actor and targets browser credentials, specifically manipulating Google Chrome's IElevation COM interface to decrypt saved passwords.

Parallel to this, intelligence confirms APT28 (Fancy Bear) is actively leveraging compromised MikroTik and TP-Link routers globally. By rewriting DNS settings on edge infrastructure, they are redirecting traffic to facilitate credential harvesting at scale, impacting over 18,000 IPs.

Additionally, the weaponization of open-source ecosystems continues unabated, with 1,700+ malicious packages detected across npm, PyPI, Go, Rust, and PHP, and the recent Claude Code leak being weaponized to distribute Vidar and PureLogs stealers via fake GitHub repositories.

Raw Intelligence Analysis

• Post 1 & 6 (@vxunderground): Confirms the cpuid.com compromise. Analysts identified the payload as STX Rat, a family discovered in March 2026. Technical analysis confirms the malware targets Chrome IElevation interfaces for credential dumping and establishes persistence via .db files and PowerShell. The inclusion of RDP capabilities transforms this from simple theft to potential full system takeover.
• Post 2 (@TheHackerNews): Highlights the secondary exploitation of the Claude Code leak. Attackers are creating fake repositories to trojanize releases, pushing known stealers (Vidar, PureLogs) and GhostSocks. This validates the trend of exploiting developer interest in leaked AI code for initial access.
• Post 3 (@TheHackerNews): Provides a broad overview of the threat landscape, explicitly linking the Claude Code leak to a "stealer wave" and noting "Fake Proxifier" campaigns delivering clipboard clippers. It underscores the volume of active infostealer campaigns.
• Post 4 (@TheHackerNews): Attributes a massive open-source supply chain attack (1,700+ packages) to North Korea-linked hackers. The use of "dev tools" as a lure correlates with the technical sophistication seen in the STX Rat campaign.
• Post 5 (@TheHackerNews): Confirms APT28 activity involving global router hijacks. This represents a network-layer credential theft strategy (DNS poisoning) distinct from the endpoint-focused STX Rat campaign but aligned with the same objective: harvesting credentials.

Threat Actor / Tool Profile

STX Rat

• Type: Remote Access Trojan (RAT) / Infostealer
• First Seen: March 2026
• Distribution Method: Supply Chain compromise (Trojanized installers via cpuid.com / HWMonitor).
• Capabilities:
  • Credential Theft: Targets Google Chrome via manipulation of the IElevation COM interface to dump and decrypt saved passwords.
  • Remote Access: Provides threat actors with full remote desktop capabilities.
  • Persistence: Utilizes .db files and PowerShell scripts to maintain access.
  • Evasion: Analysts note "intelligent decisions" in payload development and anti-analysis techniques.

APT28 (Fancy Bear)

• Type: Nation-State Actor (Russia-linked)
• TTP: Router Hijacking (MikroTik, TP-Link).
• Objective: Credential theft via DNS redirection (phishing or MITM).
• Scope: 18,000+ IPs across 120 countries.

Detection Engineering

Sigma Rules

title: STX Rat Persistence via PowerShell from HWMonitor
id: 4a8b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects suspicious PowerShell execution spawned by HWMonitor (STX Rat dropper).
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://t.me/vxunderground/8677
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\HWMonitor.exe'
        Image|endswith: '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate administrative scripting (unlikely from HWMonitor)
level: high
tags:
    - attack.persistence
    - attack.execution
    - attack.t1059.001
---
title: APT28 Router DNS Hijacking Indicators
id: b9c3d4e5-1f2a-3b4c-5d6e-7f8a9b0c1d2e
description: Detects DNS configuration changes on critical network infrastructure often associated with APT28 router hijacks.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
logsource:
    category: firewall
detection:
    selection:
        DestinationPort: 53
        Application|contains: 
            - 'mikrotik'
            - 'tp-link'
    filter:
        Action: 'accept'
    condition: selection
falsepositives:
    - Standard DNS traffic
level: low
tags:
    - attack.defense_evasion
    - attack.credential_access
    - attack.t1071.004
---
title: Credential Dumping via Chrome IElevation Interface
id: e6f7a8b9-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects processes accessing the Chrome IElevation COM interface indicative of STX Rat activity.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://t.me/vxunderground/8677
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|contains: 'chrome.exe'
        CallTrace|contains: 'IElevation'
    condition: selection
falsepositives:
    - Rare legitimate debugging
level: critical
tags:
    - attack.credential_access
    - attack.t1003.005

KQL (Microsoft Sentinel)

// Hunt for HWMonitor spawning suspicious child processes (STX Rat)
DeviceProcessEvents
| where Timestamp >= datetime(2026-04-10)
| where InitiatingProcessFileName =~ "HWMonitor.exe" 
| where ProcessVersionInfoInternalFileName != "HWMonitor.exe" // Basic anti-spoofing
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| extend Tactics = "Execution, Persistence"

PowerShell (IOC Hunt)

<#
.SYNOPSIS
    Hunt for STX Rat indicators related to HWMonitor compromise.
.DESCRIPTION
    Checks for the presence of HWMonitor, verifies file signatures, and checks for
    recent modifications or suspicious PowerShell persistence in user directories.
#>

$PotentialPaths = @(
    "${env:ProgramFiles}\CPUID\HWMonitor\HWMonitor.exe",
    "${env:ProgramFiles(x86)}\CPUID\HWMonitor\HWMonitor.exe",
    "$env:LOCALAPPDATA\HWMonitor*"
)

Write-Host "[!] Checking for HWMonitor installations..." -ForegroundColor Yellow

foreach ($Path in $PotentialPaths) {
    if (Test-Path $Path) {
        $File = Get-Item $Path -ErrorAction SilentlyContinue
        Write-Host "[+] Found: $($Path)" -ForegroundColor Cyan
        Write-Host "    - Modified: $($File.LastWriteTime)"
        Write-Host "    - Size: $($File.Length) bytes"
        
        # Check if modified during the compromise window (April 10-14, 2026)
        if ($File.LastWriteTime -ge [datetime]"2026-04-10" -and $File.LastWriteTime -le [datetime]"2026-04-14") {
            Write-Host "    [!] WARNING: File modified during active compromise window!" -ForegroundColor Red
        }
        
        # Check Digital Signature (STX Rat is likely unsigned or invalidly signed)
        $Sig = Get-AuthenticodeSignature $Path
        if ($Sig.Status -ne "Valid") {
            Write-Host "    [!] WARNING: Invalid or Missing Signature!" -ForegroundColor Red
        }
    }
}

Write-Host "`n[!] Checking for suspicious PowerShell persistence (.db files)..." -ForegroundColor Yellow
Get-ChildItem -Path $env:USERPROFILE -Recurse -Filter "*.db" -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
    Select-Object FullName, LastWriteTime

Response Priorities

Immediate (0–4 hours)

• Identify & Block: Check software inventories for CPUID/HWMonitor. If installed on or after April 10, 2026, isolate the machine.
• C2 Blocking: Block network access to known C2 infrastructure associated with STX Rat and APT28 (if IoCs available) and block cpuid.com if necessary for download prevention.
• Router Audit: Emergency check of MikroTik/TP-Link device logs for unauthorized configuration changes or DNS modifications.

Same-day (4–24 hours)

• Credential Reset: Force password resets for accounts used on compromised HWMonitor endpoints, prioritizing browser-saved credentials (Google Chrome).
• Image Remediation: Wipe and re-image endpoints identified as infected with STX Rat due to its RDP capabilities.
• Supply Chain Audit: Review npm, PyPI, and internal GitHub repositories for the presence of "Claude Code" related fake repos or the 1,700+ known malicious packages.

This Week

• Hunting: Deploy the provided Sigma rules and PowerShell scripts across the fleet to hunt for latent infections.
• Policy Update: Update software allowlists to require strict digital signature validation for monitoring tools like HWMonitor.
• Vulnerability Management: Patch MikroTik and TP-Link routers against the specific vulnerabilities exploited by APT28.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub