Proprietary 2026-04-09 · 0 days ·Credential Theft, Remote Access, Session Theft

CPUID installers delivered STX RAT

CPUID's official download flow redirected HWMonitor and CPU-Z users to attacker infrastructure. Trojanized HWMonitor 1.63 sideloaded cryptbase.dll and unpacked STX RAT.

Story

The CPUID compromise hit a small but valuable habit: administrators downloading trusted diagnostic tools. On April 9, 2026, users following CPUID's official HWMonitor download path could be redirected away from the expected file and toward an attacker-controlled Cloudflare R2 object.

CPUID later acknowledged that a secondary API had been breached for roughly six hours. The signed original files were not reported compromised. Instead, the download selection path randomly sent some users to malicious packages, with HWMonitor 1.63 confirmed and CPU-Z also reported affected.

The HWMonitor package carried a rogue cryptbase.dll beside the legitimate 64-bit executable. When HWMonitor_x64.exe started, Windows DLL search order loaded the malicious DLL. The loader then unpacked several in-memory stages using reflective PE loading, XOR decryption, and bitwise transforms.

The final payload matched STX RAT, a remote access trojan with infostealer capability. Cyderes reported campaign tags and referrer values that separated HWMonitor from CPU-Z traffic, suggesting a maintained operation aimed at high-value technical users rather than a random drive-by download.

Affected Artifacts

HWMonitor

cpuid website download · cpuid.com · Application

Observed: 2026-04-09 to 2026-04-10
Compromised Versions: 1.63
Fixed: Not listed
Evidence: distribution: cpuid.com/softwares/hwmonitor.html, distribution: pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip, distribution: pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe

The public report identifies HWMonitor 1.63 as one of the redirected official download targets; component and stage hashes are recorded as named indicators.
Cyderes reported that the malicious DLL was sideloaded only by the 64-bit HWMonitor executable.

CPU-Z

cpuid website download · cpuid.com · Application

Observed: 2026-04-09 to 2026-04-10
Compromised Versions: Unknown
Fixed: Not listed
Evidence: distribution: cpuid.com/softwares/cpu-z.html

The public report names CPU-Z as an affected official download target but this record does not yet contain a precise CPU-Z version.
Cyderes reported CPU-Z traffic under referrer value CPZ, but public reporting did not provide a CPU-Z artifact hash in text.

Incident Context

Motive: Credential Theft Remote Access
Cause: Compromised Infrastructure
Transitive: No

Indicators

familySTX RAT
domainwelcome.supp0v3.com
urlhttps://welcome.supp0v3.com/d/callback
urlhttp://pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev/hwmonitor_1.63.zip
urlhttp://pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev/hwmonitor/HWiNFO_Monitor_Setup.exe
filecryptbase.dll
fileHWMonitor_x64.exe
fileHWiNFO_Monitor_Setup.exe
campaign_tagtbs
campaign_tagtbs2
campaign_tagtbs3
campaign_tagsnip
observablereferrer monitor3 identified HWMonitor traffic.
observablereferrer CPZ identified CPU-Z traffic.
observableOnly the 64-bit HWMonitor execution path was reported affected by DLL sideloading.
file_sha256HWMonitor_x64.exe 02db6764d1f13b837b0a525e5931bdbc67e7a2a4d071e849c7e087255d4a2d5b
file_sha256cryptbase.dll a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286
file_sha256stage2 1331f19c6732fca81f32c4cec9f89abf26371ed9d3665954f491c89e2c55e5bb
file_sha256stage3 116d806a5ca6f34fdd04061499daca9a352feb2e3f291c7ef3e5d470fe875f7f
file_sha256stage4 a70645f46eee6d765c54ba4a5c48166bd83bcfbc7771a82be9ed48ab4871ebfa
file_sha256stx-rat 52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6
file_sha256HWiNFO_Monitor_Setup.exe eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f

External References

Source record: proprietary/cpuid-hwmonitor/meta.yaml