Supply Chain Compromise: CPU-Z/HWMonitor Serving STX RAT
Just caught wind of a significant supply chain attack involving CPUID, the folks behind CPU-Z and HWMonitor. Apparently, their site (cpuid.com) was compromised for roughly 19 hours between April 9 (15:00 UTC) and April 10 (10:00 UTC).
During this window, threat actors swapped the legitimate executables for trojanized versions dropping STX RAT. Considering how ubiquitous these tools are in gaming rigs and benchmarking stations—and how often users suppress AV warnings for performance tools—this is a nasty one.
If you have deployments that pulled installers during that window, I'd recommend immediate verification. STX RAT typically gives full control, including keylogging and remote shell access.
Here is a quick PowerShell snippet to scan your downloaded installation directories (adjust paths as needed) and check creation times against the IOC window:
$targetDateStart = Get-Date "2026-04-09 15:00:00Z"
$targetDateEnd = Get-Date "2026-04-10 10:00:00Z"
Get-ChildItem -Path "C:\Downloads\" -Filter "*setup*.exe" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $targetDateStart -and $_.LastWriteTime -lt $targetDateEnd } |
Select-Object FullName, LastWriteTime, @{N='SHA256';E={(Get-FileHash $_.FullName -Algorithm SHA256).Hash}}
Has anyone started seeing C2 traffic associated with this in their SOAR queues? I'm curious if there are specific C2 domains being leaked yet beyond the standard STX infrastructure.
We've flagged about a dozen endpoints hitting suspicious IPs shortly after the installation timestamp. We're using a Sigma rule to look for the specific child process STX spawns. It usually drops a temp copy of itself.
detection:
selection:
ParentImage|endswith: '\cpuz_x64.exe'
Image|contains: '\AppData\Local\Temp\'
condition: selection
Definitely check your event logs for process execution, not just file downloads.
As an MSP, this is a nightmare. We use HWMonitor for quick hardware audits on client servers. I'm pushing a script to remove the compromised binaries and pushing out a clean version via GPO. For anyone needing a temporary alternative, Open Hardware Monitor is open-source and generally safe, though I'd verify the hash from GitHub directly just to be paranoid.
The scary part isn't the RAT, it's the privilege escalation. In my tests, STX RAT attempts a UAC bypass using the fodhelper.exe technique if it detects admin rights. If you ran the trojanized installer as Admin, you're likely fully owned. I'd recommend checking for registry modifications in this path:
cmd reg query "HKCU\Software\Classes\ms-settings\Shell\Open\command"
If that exists and points to a random binary, nuke the host.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access