好的,我现在需要帮用户总结一篇文章,控制在100字以内。用户的要求是直接写文章描述,不需要特定的开头。首先,我得通读整篇文章,抓住主要内容。 文章讲的是CPUID网站被攻击,下载链接被替换为恶意文件,传播STX RAT恶意软件。攻击持续了几个小时,影响了很多用户。Kaspersky报告了相关细节,包括恶意链接和DLL文件的使用。攻击者复用了之前的基础设施,导致检测容易。受害者主要在巴西、俄罗斯和中国。 接下来,我需要把这些信息浓缩到100字以内。要包含关键点:CPUID网站被黑、下载工具被替换、传播STX RAT、攻击时间短但影响大、Kaspersky的报告、恶意DLL和C2通信复用、受害者分布。 现在组织语言:CPUID网站被入侵,下载链接被替换成恶意文件传播STX RAT;攻击持续数小时,影响多国用户;Kaspersky发现恶意DLL和复用C2基础设施;受害者主要在巴西、俄罗斯和中国。 检查字数是否在限制内,并确保信息准确全面。 </think> CPUID网站遭入侵,攻击者将CPU-Z和HWMonitor的下载链接替换为恶意文件,传播STX RAT恶意软件。该攻击持续数小时,导致大量用户感染。Kaspersky报告称攻击者使用恶意DLL并通过复用先前攻击的基础设施进行C2通信。受害者主要集中在巴西、俄罗斯和中国。 2026-4-13 07:23:36 Author: securityaffairs.com(查看原文) 阅读量:26 收藏
CPUID watering hole attack spreads STX RAT malware
Threat actors compromised the CPUID website and spread STX RAT through fake CPU-Z and HWMonitor downloads.
Attackers breached the website CPUID and replaced download links for CPU-Z and HWMonitor with malicious files for several hours. Users who downloaded them got infected with the STX RAT, giving attackers remote access to their systems. The short attack window still exposed many users to compromise.
Investigations show attackers compromised a secondary API for about six hours, causing the site to display malicious links. The maintainers of the website confirmed that the original signed files remain safe, and the issue has been fixed.
— Doc TB (@d0cTB) April 10, 2026Here is the small statement I sent to everyone… 😓
Hi,
Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display… https://t.co/ZfHRoWwkOM
Kaspersky reported that on April 9, 2026, the CPUID website was compromised, and download links for tools like CPU-Z and HWMonitor were redirected to malicious domains for several hours. Attackers used these sites to distribute infected installers, and Kaspersky published related indicators of compromise.
“We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced” states Kaspersky. “with URLS to the following malicious websites:
- vatrobran[.]hr.
- cahayailmukreatif.web[.]id;
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev;
- transitopalermo[.]com;
Kaspersky found that attackers distributed trojanized CPU-Z and HWMonitor installers with a malicious DLL (“CRYPTBASE.dll”) using DLL sideloading. The DLL handled C2 communication, anti-sandbox checks, and payload delivery, reusing infrastructure from a previous fake FileZilla campaign.
“The interesting part here is that the attackers reused both the C2 address and the connection configuration from the March 2026 campaign where the attackers hosted a fake FileZilla (an open-source FTP client) site distributing malicious downloads.” continues the report. “The configuration embedded in the DLL is presented further. The “referrer” field in the configuration equals “cpz” which tends to be a shorthand for “CPU-Z”.”
The attack ultimately deployed a sophisticated RAT after multiple staged loaders. Attackers reused the known STX RAT, making detection easier thanks to existing rules. Despite compromising a popular software site, they failed to evade detection. Researchers found over 150 victims, mainly individuals but also organizations across multiple sectors, with most cases in Brazil, Russia, and China.
Kaspersky experts advise checking DNS logs and systems for signs of infection.
“Compared to other recently occurred watering hole and supply chain attacks, such as the Notepad++ supply chain attack, the attack on the cpuid.com website was orchestrated quite poorly.” concludes the report. “The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CPUID)
如有侵权请联系:admin#unsafe.sh