UNKNOWN threat actors compromised CPUID’s site (cpuid[.]com) for less than 24 hours to serve malicious CPU-Z and HWMonitor installers, with the campaign running from 9 April 2026, 15:00 UTC to 10 April 2026, 10:00 UTC. The trojanized downloads contained a legitimate signed executable plus a malicious CRYPTBASE[.]dll that performed DLL side-loading and spoke to an external server, while anti-sandbox checks helped evade detection.
The aim was to deploy STX RAT, a remote access Trojan with HVNC and broad infostealer capabilities, and the C2 configuration was reportedly reused from a prior campaign involving fake FileZilla installers. According to Kaspersky, the attack affected more than 150 victims, primarily individuals, with additional impact on organisations in retail, manufacturing, consulting, telecommunications and agriculture across Brazil, Russia and China.
The rogue websites hosting the malicious links were named as cahayailmukreatif.web[.]id, pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev, transitopalermo[.]com and vatrobran[.]hr. The incident was attributed to a breach of a “secondary feature” that caused the main site to display malicious links, though CPUID stated the signed original files were not impacted.