cpuid.com 水坑攻击：特洛伊化的 CPU-Z 与 HWMonitor 通过 DLL 侧加载分发 STX RAT

cpuid.com 水坑攻击：特洛伊化的 CPU-Z 与 HWMonitor 通过 DLL 侧加载分发 STX RAT
嗯，用户让我帮忙总结一下这篇文章的内容，控制在一百个字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。首先，我需要通读整篇文章，抓住主要信息。文章讲的是CPUID网站被黑，导致用户下载了恶意软件。这些软件包括CPU-Z、HWMonitor等，被植入了恶意DLL，用来连接C2服务器并执行恶意代码。攻击者还复用了之前的恶意软件配置和RAT工具，结果被Kaspersky检测到。接下来，我要提炼关键点：CPUID网站被黑的时间和日期、受影响的软件、恶意DLL的作用、攻击者重复使用旧工具导致被检测、受害者分布情况以及Kaspersky的检测方法。然后，控制在100字以内。可能需要合并一些信息，比如受害者分布在哪些国家可以简化为“全球多个国家”。最后，确保语言简洁明了，不使用复杂的术语。直接描述事件经过和结果即可。 </think> 2026年4月9日至10日，CPUID网站被黑，用户下载系统管理软件时植入恶意DLL（CRYPTBASE.dll），用于连接C2服务器并执行恶意代码。攻击者复用此前攻击中的配置和RAT工具（STX RAT），导致行为被Kaspersky检测。超150名受害者遍布全球多个国家。 2026-4-10 16:26:38 Author: securelist.com(查看原文) 阅读量:0 收藏

UPD 14.04.2026: added detection rules and examples by Kaspersky products: KEDR Expert and KATA, as well as dynamic analysis results in Kaspersky Threat Analysis.

Introduction

On April 9, 2026, the website cpuid[.]com, hosting installers for popular system administration software CPU-Z, HWMonitor (HWMonitor Pro) and Perfmonitor 2, was compromised. We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced with URLS to the following malicious websites:

cahayailmukreatif.web[.]id;
pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev;
transitopalermo[.]com;
vatrobran[.]hr.

We provided the complete list of hashes of files that we observed to have been downloaded from these websites, in the IoCs section.

Attack chain

We observed the attackers deploy malicious distributions of various popular system administration software published on the cpuid[.]com website. Below is a list of this software:

CPU-Z (version 2.19)
HWMonitor Pro (version 1.57)
HWMonitor (version 1.63)
PerfMonitor (version 2.04)

The trojanized software was distributed both as ZIP archives and as standalone installers for aforementioned products. These files contain a legitimate signed executable for the corresponding product and a malicious DLL which is named “CRYPTBASE.dll” to leverage the DLL Sideloading technique.

The malicious DLL is responsible for C2 connection and further payload execution. Prior to this, it also performs a set of anti-sandbox checks and, if all the checks have passed, it connects to the C2 server. The interesting part here is that the attackers reused both the C2 address and the connection configuration from the March 2026 campaign where the attackers hosted a fake FileZilla (an open-source FTP client) site distributing malicious downloads. The configuration embedded in the DLL is presented further. The “referrer” field in the configuration equals “cpz” which tends to be a shorthand for “CPU-Z”.

{

"hello": {

"tag":"tbs",

"referrer":"cpz",

"callback":"hxxps://welcome.supp0v3[.]com/d/callback

}

This loader also contains a huge array of MAC addresses (represented as strings) that later form the next stage payload by converting hexadecimal symbols in MAC addresses to their byte values. After a set of auxiliary loaders, the execution chain results in a sophisticated RAT.

Copy-pasted malicious implants

The final stage RAT is not new though. The adversary decided to reuse the so-called “STX RAT” reported by Esentire , thus making one more mistake. We noted that the final stage is fully detected by the YARA rules provided in the eSentire article.As can be observed, attackers put an effort to compromise the popular software website, but failed to avoid detection with known indicators of compromise.

Victimology

Based on our telemetry, we have identified more than 150 victims, the majority of whom are individuals. However, several organizations from various sectors, including retail, manufacturing, consulting, telecommunications and agriculture, were also affected with most infections in Brazil, Russia and China.

Recommendations

While the watering hole attack occurred in a short timeframe of less than 24 hours, it is important to check whether your organization may be affected. The best way to do this is examine DNS logs for the malicious websites from which the trojanized installers have been downloaded. It is also paramount to examine filesystems to check for traces of the malicious archives and executable files related to this attack.

Detection by Kaspersky products

Kaspersky Endpoint Detection and Response Expert effectively detects the behavior of the described malicious activity at each stage. This section presents possible detection scenarios.

During the loading of the cryptbase.dll library, the cryptbase_dll_loaded_from_wrong_location rule is triggered, designed to detect the loading of unsigned libraries located outside the system directory. In this case, the library is located in the same directory as the executable file and is loaded during its execution.

Loading of unsigned module

During the creation of a PowerShell child process and redirection of its output to a pipe for writing the payload, several rules are triggered for AMSI and process started event types, which track pipe usage and execution of suspicious commands:

suspicious_powershell_command_invocation_obtained_via_pipe_amsi
suspicious_powershell_cmdline_general_obfuscation_amsi
suspicious_powershell_command_invocation_obtained_via_pipe
suspicious_powershell_cmdline_general_obfuscation

Child process creation

Attempts to access web browser data are detected by several rules, for example credentials_from_web_browsers, which tracks suspicious access to files storing user secrets.

For comprehensive analysis of the described malicious activity, Kaspersky Cloud Sandbox, part of Kaspersky Threat Analysis, can be used, providing detailed information about the behavior of malicious files under investigation. In particular, this tool allows identifying indicators of compromise based on behavioral analysis.

The figure below shows the Kaspersky Threat Analysis interface demonstrating dynamic analysis results for one of the STX RAT samples:

Malicious sample detonation in Kaspersky Cloud Sandbox

Based on dynamic analysis results, the analyzed sample was found to perform the following malicious actions:

modifies AMSI to bypass antivirus protection (AMSI patching);
establishes network connection with C2 server;
introduces time delay for deferred payload execution.

Network traffic monitoring to identify characteristic anomalies also remains a reliable way to detect such attacks. Malicious activity in traffic can be detected using Kaspersky Anti Targeted Attack (KATA) with NDR module

Below is the KATA NDR interface with an alert about detection of loader C2 communication via HTTP protocol. In this case, the Backdoor.Agent.HTTP.C&C rule was triggered, which detects network communication characteristic of this campaign.

Conclusion

Compared to other recently occurred watering hole and supply chain attacks, such as the Notepad++ supply chain attack, the attack on the cpuid.com website was orchestrated quite poorly. The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers. The overall malware development/deployment and operational security capabilities of the threat actor behind this attack is quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it started.