Hacked CPUID exposes how a hardware tool download can install a remote RAT

If you usually download tools like CPU-Z or HWMonitor to monitor your computer performance, you may be concerned to know that the official CPUID site ( cpuid.com) was manipulated by attackers for less than 24 hours to serve malicious installers. The intrusion, according to the company itself, took advantage of a secondary functionality of the site and caused legitimate links to be replaced by readdresses to false sites hosting committed files.

The incident took place between 9 and 10 April and, although the original installers signed remained intact, some download points showed links to pages controlled by the attackers. Cybersecurity researchers like Kaspersky and response teams have tracked the addresses involved and the infection chain, and have confirmed that attackers were distributing executables accompanied by a malicious DLL named as CRYPTBASE.dll to exploit a technique known as DLL side-loading.

In simple terms, the mechanism operated like this: next to the legitimate executable of the compromised software, a malicious DLL with a name that the program would unnoticed. That DLL was communicating with external servers, doing checks to avoid sandboxes and, if it found favourable conditions, deploying additional charges. The ultimate goal of the campaign was to install a remote access Trojan called STX RAT, a malware family with information theft, remote control and payload execution capabilities in memory.

STX RAT is not a toy: it includes functions to create a virtual remote desktop (HVNC), run binaries or code in memory, establish reverse tunnels or proxies and perform direct interactions with the user screen. This flexibility makes it a powerful tool to extract credentials, move laterally into networks and control compromised equipment. Security analysts like eSentire have documented the capabilities and commands this malicious family offers to the attackers.

The striking thing about this campaign, according to reports, is that the operators reused infrastructure and configurations from a previous operation in which the FileZilla stranded installers were distributed to deploy the same RAT. This operational error made it easier for detection teams to identify and attribute the new intrusion more quickly. Signatures and domains used previously reappeared in communication with command and control servers, which made it possible to draw links between the incidents.

The cyber security companies that have analysed the case have identified more than 150 victims, mostly private users, although there are also affected organizations in sectors such as retail, manufacturing, consulting, telecommunications and agriculture. Geographically, most infections were concentrated in Brazil, Russia and China. The fact that the assault has been directed at hardware tool installers - software of common use between technicians and enthusiasts - underlines the risk of centralized supply chains and download resources.

What can users and administrators do about such threats? First, check the source of the installers: always download from official sites and, where possible, check fingerprints or software signatures. Although in this case the original signatures were not altered, the presence of additional files next to the legitimate executable is an alarm signal. Security solutions with network telemetry and behavior detection capabilities also help to identify suspicious communications to command and control domains.

Organizational defence practices should include binary integrity control, restricted execution policies, network segmentation and monitoring of outgoing connections to detect attempts to communicate with malicious servers. For those who manage download portals, the lesson is clear: the "secondary" or auxiliary APIs functions require the same security scrutiny as the core of the service, because a failure in them can serve as a vector for water-hole attacks that affect thousands of users.

If you want to read the technical analyses and official releases, you will find information on the pages of the main actors who investigated the case: the CPUID site itself ( reported in X and your website), the Kaspersky reports ( kaspersky.com), the follow-up of Malharebytes ( malwarebytes.com) and response analyses by specialized companies such as eSentire and technological means that covered history ( BleepingComputer). Consulting these sources will give you a deeper and more technical vision if you need it.

In short, this case recalls that even well-known portals can become vectors of infection if all its layers are not protected. The good news is that the reuse of infrastructure by the attackers facilitated their detection; the bad, that side-rolling technique and the use of RATs like STX remain real and effective threats. Maintaining updated software, validating downloads and combining perimeter defences with integrity controls remains the best strategy to reduce risk.