Unknown threat actors recently compromised the CPUID website (“cpuid[.]com”), known for distributing popular hardware monitoring software such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. The site’s infiltration, which lasted under 24 hours, served as a delivery channel for malicious executables and a remote access trojan (RAT) known as STX RAT.
The CPUID Breach Window Was Narrow but Dangerous
The compromise ran from approximately April 9 at 15:00 UTC to April 10 at 10:00 UTC. During this brief period, the integrity of downloadable executables on the site was undermined, leaving users who visited and downloaded software during that window at serious risk. Visitors could unknowingly install malware disguised as legitimate, well-known hardware monitoring tools — software that many users trust and regularly download for system diagnostics and performance tracking.
Attackers Replaced Legitimate Files With Trojanized Executables
To carry out the attack, the threat actors replaced genuine executable files hosted on CPUID’s site with versions containing the STX RAT payload. This approach allowed the attackers to piggyback on the credibility of the platform and its widely used tools. STX RAT is a remote access trojan capable of giving attackers covert, unauthorized access to compromised systems, enabling data theft, surveillance, and persistent control over infected machines — all without the victim’s knowledge.
Users Who Downloaded Software During the Attack Are at Risk
Any user who downloaded software from the CPUID website between April 9 at 15:00 UTC and April 10 at 10:00 UTC may have been exposed. Those users could have inadvertently granted threat actors full remote access to their systems. Security researchers recommend that anyone who downloaded CPUID software during that timeframe immediately scan their systems for signs of infection, look for unusual processes or network connections, and consider re-imaging affected machines if a compromise is confirmed.
Organizations Should Reassess Their Software Download Practices
This incident highlights the continued threat posed by supply chain and website compromise attacks, where trusted platforms become vectors for malware distribution. Even a window of less than 24 hours is more than enough time for widespread impact, particularly when the targeted website distributes popular tools with a large and active user base. Organizations and individuals should verify the integrity of downloaded executables using checksums where available, rely on official vendor communications for software updates, and maintain endpoint detection capabilities that can flag trojanized binaries before execution.
