THREAT actors compromised the CPUID website and replaced download links for CPU-Z and HWMonitor with malicious files for several hours, delivering the STX RAT to users who downloaded them. According to Kaspersky, on 9 April 2026 the CPUID site was breached and installers were redirected to malicious domains for several hours, with attackers using these sites to distribute trojanised downloads that hid a malicious DLL, CRYPTBASE[.]dll, used for C2 communication, anti-sandbox checks and payload delivery.
Investigations show the attackers reused the same infection chain from a previous campaign, including the C2 address and the configuration embedded in the DLL, and the referrer field tended to be a shorthand for CPU-Z. Researchers found over 150 victims across multiple sectors, with most cases in Brazil, Russia and China, and the attack culminated in deploying a sophisticated RAT after multiple staged loaders.
The CPUID incident occurred during a six-hour window beginning around 15:00 UTC on 9 April and ending around 10:00 UTC on 10 April 2026, and the issue was fixed with the site’s original signed files remaining safe. Officials advise inspecting DNS logs and systems for signs of infection.