CPUID supply chain breach pushed trojanized CPU-Z and HWMonitor for six hours

Attackers compromised a secondary API at CPUID between April 9 and 10, swapping download links on the official site to point at Cloudflare R2-hosted trojanized installers masquerading as HWiNFO. The signed original binaries were untouched, but the distribution layer served poisoned versions of CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, and PerfMonitor 2.04 to users who hit the main download portal during the roughly 19-hour window. CPUID confirmed the breach hit while the lead developer was on holiday.

The payload pairs a legitimate signed executable with a malicious CRYPTBASE.dll loaded via DLL sideloading. Once anti-sandbox checks pass, the loader runs largely in-memory, proxies NTDLL calls from a .NET assembly to dodge EDR hooks, and beacons to a C2 reused from a March campaign that abused a fake FileZilla site. The terminal payload is STX RAT, an infostealer-capable RAT previously documented by eSentire.

Kaspersky telemetry shows roughly 150 victims, mostly individuals but including retail, manufacturing, consulting, telecom, and agriculture organizations concentrated in Brazil, Russia, and China. The pattern — a threat actor pivoting between widely trusted sysadmin utilities (FileZilla, then CPUID) by poisoning distribution rather than code — turns the trust users place in official download domains into the actual attack surface.