CPUID Website Weaponized in Watering Hole Attack
The CPUID website — a widely trusted resource in the PC hardware enthusiast community — was recently compromised and configured to deliver malware-laced versions of three of its most popular software utilities: CPU-Z, HWMonitor, and PerfMonitor. These tools are commonly used by both individuals and enterprise IT teams to gather detailed hardware diagnostics. CPU-Z reports information on the processor, motherboard, memory, and graphics; HWMonitor tracks real-time sensor data including voltages, temperatures, and fan speeds; and PerfMonitor is used to analyze processor performance. Combined, these applications have accumulated millions of downloads worldwide.
How the Compromise Worked
According to CPUID's own maintainer, a secondary feature — described as a side API — was the vector through which attackers gained a foothold. Once compromised, this component caused the website to intermittently display links pointing to third-party domains that hosted trojanized builds of CPU-Z, HWMonitor, and PerfMonitor. Importantly, the original software files stored on CPUID's servers were not modified or replaced.
Kaspersky, which independently analyzed the incident as both a supply chain and watering hole attack, found that during the compromise window the CPUID site also served malicious installers for HWMonitor Pro in addition to the three tools the maintainer acknowledged. Attackers distributed both ZIP archives and standalone installer packages. Each package bundled the legitimate software alongside a malicious file named cryptbase.dll, which was loaded onto victim systems through a technique known as DLL sideloading.
STX RAT: The Final Payload
The ultimate objective of the operation was to deploy a recently discovered Windows malware strain designated STX RAT. Once active on a compromised system, STX RAT grants attackers remote control capabilities and enables theft of sensitive data, including:
- Browser-stored credentials
- Cryptocurrency wallet data
- FTP client passwords
This remote access trojan represents a significant threat to both private users and organizations that rely on CPUID tools for hardware management and diagnostics.
Timeline Discrepancies and Scope of Infection
The CPUID maintainer stated that the incident began on April 10, with the website remaining compromised for approximately six hours, between 00:00 and 06:00 GMT. However, Kaspersky's telemetry suggests a considerably broader window. According to the security firm, the compromise was active from April 9 at 15:00 GMT through April 10 at 10:00 GMT — roughly 19 hours in total.
Kaspersky identified over 150 victims during this period. While the majority were private individuals, affected organizations spanned multiple sectors including manufacturing, retail, telecommunications, consulting, and agriculture. Geographically, the highest concentrations of infections were observed in Brazil, China, and Russia. The firm acknowledged that its visibility into infections in North America and Europe is limited, meaning actual victim counts could be higher in those regions.
Ties to a Broader, Months-Long Campaign
Researchers at Breakglass Intelligence have connected the CPUID incident to a separate recent attack involving trojanized versions of the FileZilla FTP client. According to Breakglass, the CPUID compromise was not an isolated event but rather part of a coordinated campaign spanning approximately 10 months. The firm believes the threat actor behind the operation is Russian-speaking.
Breakglass also found evidence suggesting that the CPUID attack may have actually begun as early as April 3 — a full week before the date cited by the site's maintainer — further widening the potential exposure window and the number of users who may have unknowingly downloaded trojanized software.
Why This Attack Is Particularly Dangerous
Watering hole attacks targeting trusted utility websites are especially effective because they exploit user trust in well-known, reputable tools. CPUID's software portfolio has accumulated millions of downloads, and many users and IT professionals treat downloads from the official site as inherently safe. The use of DLL sideloading to load cryptbase.dll alongside legitimate software further reduces suspicion, since the installer appears to function normally while silently compromising the host system.
Organizations operating in sectors identified by Kaspersky — including manufacturing, telecoms, and retail — should audit systems for the presence of STX RAT indicators of compromise, especially on machines where CPUID utilities were recently installed or updated. Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from the CPUID website between approximately April 3 and April 10, 2025, are strongly advised to scan their systems and rotate any credentials that may have been stored in affected browsers or FTP clients.
Source: SecurityWeek