Executive Summary
In April 2026, CPUID's official website was compromised for approximately six hours, leading to the distribution of malware through its popular CPU-Z and HWMonitor tools. Attackers exploited a secondary API to redirect download links to malicious installers, which deployed the STX RAT—a remote access trojan designed to steal browser credentials and other sensitive information. The malware utilized advanced evasion techniques, operating primarily in-memory to bypass standard detection mechanisms. CPUID has since resolved the breach and restored the integrity of its download links.
This incident underscores the growing trend of supply chain attacks targeting widely-used software utilities. The reuse of infrastructure from previous campaigns, such as the FileZilla incident in March 2026, highlights the persistent threat posed by sophisticated threat actors. Organizations and individuals are advised to exercise caution when downloading software, even from trusted sources, and to implement robust security measures to detect and prevent such compromises.
Why This Matters Now
The CPUID breach highlights the increasing prevalence of supply chain attacks targeting widely-used software utilities. The reuse of infrastructure from previous campaigns underscores the persistent threat posed by sophisticated threat actors, emphasizing the need for heightened vigilance and robust security measures.
Attack Path Analysis
Attackers compromised CPUID's website, replacing legitimate CPU-Z and HWMonitor download links with malicious versions containing the STX RAT. Upon execution, the malware established persistence, allowing unauthorized access and control over infected systems. The RAT facilitated lateral movement within networks, enabling attackers to access additional systems. Command and control channels were established to exfiltrate sensitive data. The exfiltrated data was used to compromise user credentials and other sensitive information. The attack disrupted user trust and compromised sensitive data, leading to potential financial and reputational damage.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised CPUID's website, replacing legitimate CPU-Z and HWMonitor download links with malicious versions containing the STX RAT.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
User Execution: Malicious Link
Command and Scripting Interpreter: PowerShell
Application Layer Protocol: Web Protocols
Obfuscated Files or Information
Process Injection
Ingress Tool Transfer
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Implement supply chain risk management practices to ensure the integrity and security of software and hardware components.
Control ID: Supply Chain Risk Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attack targeting CPUID's hardware monitoring tools creates significant risk for software developers who rely on CPU-Z and similar utilities for system diagnostics and development workflows.
Computer Hardware
Hardware manufacturers using CPUID tools for system validation and monitoring face STX RAT deployment risks, compromising development environments and potentially affecting product integrity and customer data.
Information Technology/IT
IT departments utilizing CPU-Z and HWMonitor for hardware diagnostics face remote access trojan infections, enabling lateral movement across enterprise networks and potential data exfiltration through compromised monitoring tools.
Computer/Network Security
Security professionals using hardware monitoring tools for system analysis face supply chain compromise risks, highlighting need for enhanced egress filtering and threat detection capabilities to prevent STX RAT deployment.
Sources
- CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloadshttps://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.htmlVerified
- HWMonitor and CPU-Z developer CPUID breached by unknown attackershttps://www.tomshardware.com/tech-industry/cyber-security/hwmonitor-and-cpu-z-developer-cpuid-breached-by-unknown-attackers-cyberattack-forced-users-to-download-malware-instead-of-valid-apps-for-approximately-six-hoursVerified
- CPUID website hacked: users report HWMonitor and CPU-Z delivering malwarehttps://cybernews.com/security/cpuid-hwmonitor-hwinfo-cpuz-deliver-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the attacker's ability to distribute malicious software by enforcing strict access controls and monitoring traffic patterns.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have constrained the malware's ability to escalate privileges by enforcing strict identity-based access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security may have restricted the malware's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have identified and constrained unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement may have limited data exfiltration by enforcing strict outbound traffic policies.
The implementation of CNSF controls would likely have reduced the overall impact by limiting the attacker's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Software Distribution
- Customer Trust
- Brand Reputation
Estimated downtime: 1 days
Estimated loss: N/A
Potential exposure of user credentials stored in browsers, particularly Google Chrome.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust supply chain management practices to ensure the integrity of software distribution channels.
- • Deploy inline intrusion prevention systems (IPS) to detect and block known exploit patterns and malicious payloads.
- • Enforce zero trust segmentation to limit lateral movement within networks.
- • Utilize egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Establish multicloud visibility and control to detect and respond to anomalous interactions across cloud environments.
