Unknown attackers compromised the official website of CPUID, a well-known provider of hardware diagnostic software, for nearly 19 hours this week. The breach allowed the threat actors to distribute trojanized versions of popular system monitoring utilities, including CPU-Z and HWMonitor, which then installed a remote access trojan on victims’ computers.
The incident occurred between approximately 15:00 UTC on April 9 and 10:00 UTC on April 10. During this window, visitors who downloaded software from the legitimate cpuid[.]com domain received malicious installers instead of the authentic tools. These compromised files deployed a piece of malware identified as STX RAT, a powerful tool that grants attackers full control over an infected system.
Scope and Impact of the Attack
The affected website hosts several widely-used applications for PC enthusiasts and professionals. CPU-Z is a system information tool that details processor, motherboard, and memory specifications. HWMonitor and its professional variant read hardware sensor data, such as temperatures and voltages. PerfMonitor, another CPUID application, was also implicated in the supply-chain attack.
Security researchers analyzing the incident confirmed that the threat actors replaced the genuine software installers with malicious executables. Users who downloaded and ran these files during the breach period inadvertently infected their own machines. The STX RAT malware provides capabilities for file theft, screen capture, keylogging, and executing arbitrary commands, posing a significant security and privacy risk.
Detection and Response
The compromise was detected and reported by cybersecurity firms monitoring software supply chains. CPUID, the company behind the tools, took the website offline to remediate the issue once notified. The company has since restored service with clean, legitimate software downloads available.
In a statement, the company confirmed the temporary breach and advised users who downloaded software during the specified timeframe to run security scans. They recommended checking file hashes against known good versions listed on their official forums and downloading fresh copies directly from the now-secured website.
Background on Supply-Chain Attacks
This incident represents a classic software supply-chain attack, where attackers infiltrate a trusted source to distribute malware. By compromising a legitimate website frequented by a technical audience, the threat actors increased the likelihood of successful infections. Such attacks are particularly effective because they exploit the inherent trust users place in established software vendors and their distribution channels.
Security experts note that developers and IT professionals are often targeted through these means, as they frequently download and install diagnostic and utility software. The tools compromised in this attack are commonly used for system troubleshooting, overclocking, and hardware validation, making them appealing vectors.
Security Recommendations for Users
Cybersecurity professionals advise users who may have been affected to update their antivirus software and perform full system scans. They also recommend verifying the digital signatures of downloaded software whenever possible. For future protection, users should consider using software repositories or package managers when available, as these often include integrity checks.
Organizations are encouraged to enforce application allow-listing policies and network monitoring to detect unusual outbound connections indicative of a remote access trojan. Individual users should remain cautious even when downloading from familiar websites and maintain regular, offline backups of critical data.
The investigation into the breach is ongoing, with cybersecurity analysts and law enforcement likely working to identify the perpetrators. Further technical details about the STX RAT’s command and control infrastructure and the initial compromise vector are expected to be published by security firms in the coming days. Users and organizations should monitor official channels from CPUID and trusted security vendors for any additional guidance or indicators of compromise.
Source: Based on security researcher reports and company statements.
