TP-2026-0056 high AI Draft B

CPUID CPU-Z and HWMonitor Supply-Chain Malware Distribution

Date April 9, 2026
Attack Type Supply Chain Sector Technology
Geography Global
Threat Actor Unknown
Attribution A6
Confidence B

Summary

On April 9, 2026, public reporting from Kaspersky, Cyderes, and Breakglass Intelligence documented that CPUID download paths for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor were altered to deliver trojanized files. Kaspersky observed malicious URLs replacing legitimate CPUID installer downloads from approximately 15:00 UTC on April 9 until about 10:00 UTC on April 10. Cyderes reported that CPUID acknowledged a secondary API breach lasting approximately six hours and that the signed original files were not themselves modified.

The malicious downloads bundled legitimate CPUID executables with a malicious DLL named CRYPTBASE.dll. When a user ran the affected package, Windows loaded the local DLL alongside the legitimate program, starting a multi-stage in-memory malware chain. Cyderes and Kaspersky identified the final-stage payload as STX RAT and reported credential-theft and session-cookie theft capabilities.

The incident affected users who downloaded and executed affected CPUID packages during the exposure window. Public reporting did not establish a confirmed victim count, a named operator, or a government attribution. The available evidence supports treatment as a software supply-chain incident against a trusted utility download channel.

Technical Analysis

Kaspersky reported that the affected CPUID tools included CPU-Z version 2.19, HWMonitor Pro version 1.57, HWMonitor version 1.63, and PerfMonitor version 2.04. The malicious distributions were served as ZIP archives or standalone installers from infrastructure including Cloudflare R2 storage and other attacker-controlled hosts. Cyderes reported that the HWMonitor package redirected users from the legitimate CPUID download page to a malicious archive containing an added cryptbase.dll file while the remaining components appeared consistent with the legitimate HWMonitor 1.63 package.

Execution depended on DLL loading behavior. The compromised package placed cryptbase.dll in the application directory, where it was loaded by HWMonitor_x64.exe. Cyderes reported that this triggered DllMain, thread creation, loading of the legitimate system cryptbase.dll, and subsequent in-memory payload staging. Kaspersky described the same technique across the affected CPUID packages, noting that the malicious DLL initiated C2 communication and further payload execution after anti-sandbox checks.

Cyderes reported a five-stage chain using reflective PE loading, XOR decryption, and layered transformations before the final STX RAT payload. The analysis identified JSON metadata sent to welcome.supp0v3.com, including campaign tag and referrer fields such as cpz for CPU-Z and monitor3 for HWMonitor. Kaspersky reported that the attackers reused C2 address and configuration material from a March 2026 fake FileZilla installer campaign.

Attack Chain

Stage 1: CPUID Download Path Compromise

Attackers altered CPUID download paths so that users seeking legitimate CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor installers were redirected to malicious hosts rather than receiving the expected CPUID package. Kaspersky observed this malicious replacement from April 9 at approximately 15:00 UTC until about April 10 at 10:00 UTC.

Stage 2: Trojanized Package Delivery

Users downloaded archives or installers that preserved legitimate CPUID application components but added a malicious CRYPTBASE.dll. Cyderes reported that the HWMonitor v1.63 package contained otherwise legitimate components, with the added DLL serving as the execution point.

Stage 3: User Execution and DLL Loading

When the affected executable launched, Windows loaded the local cryptbase.dll from the application directory. The malware then loaded the legitimate Windows cryptbase.dll from System32 to preserve expected program behavior while starting the malicious chain.

Stage 4: In-Memory Payload Staging

The loader performed anti-sandbox checks and unpacked additional stages in memory. Cyderes reported reflective PE loading, XOR decryption, and multiple transformation stages before reaching the final payload.

Stage 5: STX RAT and C2 Activity

The final payload was identified as STX RAT. The malware sent metadata to welcome.supp0v3.com, including campaign tags and referrer fields that separated CPU-Z and HWMonitor targeting. Reported capabilities included credential theft, session-cookie harvesting, and remote access.

Impact Assessment

The exposed population was anyone who downloaded and executed affected CPUID packages during the compromise window. The tools involved are commonly used by administrators, hardware technicians, security practitioners, and PC support staff, which increased the chance that affected systems had privileged credentials or access to managed environments.

Public reporting did not provide a confirmed number of compromised systems. The most direct risk was credential and session-token theft from endpoints where the trojanized package executed. Cyderes reported STX RAT capabilities involving browser credentials, session cookies, crypto wallet keys, password-manager data, VPN credentials, and FTP credentials. Kaspersky reported malicious behavior including C2 communication, antivirus bypass through AMSI modification, deferred execution, and attempts to access browser data.

The incident also created trust risk for software obtained from official vendor websites. CISA and NIST guidance on software supply-chain attacks describes this class of risk as malicious code introduced before software reaches customers, including through vendor or distribution compromise.

Attribution

No public government attribution identified the operator behind this CPUID incident. The threat actor remains unknown.

Kaspersky and Cyderes linked the malware and infrastructure to a March 2026 campaign that distributed STX RAT through fake FileZilla installers. Kaspersky reported reuse of C2 address and configuration values, and Cyderes reported the same welcome.supp0v3.com callback infrastructure and STX RAT payload family. Breakglass Intelligence assessed shared infrastructure between the CPUID and FileZilla activity and attributed the operation to the same operator, but this remains a research assessment rather than a confirmed public government attribution.

Language artifacts, infrastructure registration, and hosting choices are not sufficient to identify a named actor. This profile therefore treats the attribution as unresolved while preserving the source-supported link to STX RAT distribution activity.

Timeline

2026-03-05 — Related CRYPTBASE.dll Sample First Seen

Breakglass Intelligence reported a CRYPTBASE.dll sample first seen on VirusTotal on March 5, 2026, before the public CPUID compromise reporting.

2026-04-09 — Malicious CPUID Download Activity Observed

Kaspersky observed CPUID download URLs for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor replaced with malicious URLs starting at approximately 15:00 UTC.

2026-04-09 — Community Reports Surface

Cyderes reported that community discussion and VirusTotal analysis raised concerns about suspected malware distributed through recent HWMonitor downloads.

2026-04-09 — CPUID Acknowledges Breach

Cyderes reported that CPUID author Samuel Demeulemeester publicly acknowledged a secondary API breach lasting approximately six hours, stated that malicious download links were served randomly, and indicated that the signed original files were not compromised.

2026-04-10 — Malicious Download Window Ends

Kaspersky observed the malicious replacement window ending around 10:00 UTC on April 10. Breakglass reported that legitimate CPUID download infrastructure appeared restored during its April 10 investigation.

2026-04-10 — Research Reports Published

Kaspersky, Cyderes, and Breakglass published technical analysis describing the CPUID compromise, malicious CRYPTBASE.dll, C2 infrastructure, and overlap with STX RAT activity.

Remediation & Mitigation

Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from CPUID between April 9 and April 10, 2026 should treat the affected host as potentially compromised until verified. Affected hosts should be isolated for investigation if malicious file hashes, unexpected cryptbase.dll files, or callbacks to reported C2 infrastructure are found.

Defenders should search for cryptbase.dll outside C:\Windows\System32 and C:\Windows\SysWOW64, especially under CPUID application directories. Kaspersky recommended Sysmon Event ID 7 monitoring for signed cryptbase.dll loading from non-standard paths, along with checks for suspicious PowerShell execution, sandbox-registry probing, browser credential access, hidden scheduled tasks, registry autorun changes, MSBuild or csc.exe execution from suspicious locations, and COM hijacking indicators.

Credential response should cover browser passwords, session cookies, VPN credentials, FTP credentials, password-manager material, crypto wallets, and privileged accounts accessible from affected systems. Cyderes recommended forcing password resets and revoking active sessions where compromise is suspected.

For software supply-chain resilience, CISA and NIST guidance recommends using cyber supply-chain risk management and secure software development practices to assess supplier risk, improve distribution integrity, and plan response to compromised software channels. For this incident class, practical controls include checksum verification, endpoint detection for DLL loading from application directories, egress monitoring for known C2 infrastructure, and alerting on new files added to trusted portable-utility directories.

Sources & References

supply-chaincpuidcpu-zhwmonitorstx-ratdll-sideloadingcredential-theft