Monitoring the Monitor: How CPUID's HWMonitor Supply Chain Was Hijacked to Deploy STX RAT

Key Findings

The Howler Cell Threat Research Team has identified the following key characteristics of this supply chain attack:

• Supply Chain Compromise: The official CPUID download page for HWMonitor was hijacked to serve a trojanized installer from attacker-controlled Cloudflare R2 infrastructure. CPU-Z was similarly compromised. CPUID confirmed a secondary API was breached for approximately six hours before remediation.
• Massive Exposure Surface: CPU-Z alone has tens of millions of users globally. HWMonitor is the standard hardware monitoring tool used by IT professionals, system administrators, data center operators, OEM hardware vendors, overclockers, and PC builders worldwide. A six-hour window on software of this reach represents extraordinary infection potential.
• DLL Sideloading via cryptbase.dll: A malicious cryptbase.dll was placed alongside the legitimate application. When HWMonitor_x64.exe executed, it sideloaded the rogue DLL via Windows DLL search order hijacking. Only the 64-bit version is affected.
• Five-Stage In-Memory Unpacking Chain: The malware executes entirely in memory across five stages using reflective PE loading, XOR decryption, and layered bitwise transformations. No intermediate payloads are written to disk, significantly hindering forensic recovery and evading signature-based detection.
• Final Payload Attributed to STX RAT: The Stage 5 payload hash matches STX RAT, a remote access trojan with infostealer capabilities previously distributed via a fraudulent FileZilla installer. This links the CPUID campaign to a broader ongoing operation.
• Multi-Campaign Infrastructure: Four distinct campaign tags (tbs, tbs2, tbs3, snip) and referrer fields (CPZ for CPU-Z, monitor3 for HWMonitor) were identified in the C2 callback metadata, indicating an active, segmented operation across multiple software targets.

Summary

The Howler Cell Threat Research Team has identified a supply chain compromise involving HWMonitor, a widely used hardware monitoring application developed by CPUID. The legitimate software download page was compromised and redirected users to a trojanized installer hosted on attacker-controlled Cloudflare R2 infrastructure. The investigation also confirmed that CPU-Z, another CPUID product, was similarly affected.

How the attack worked

• The malicious installer contained an additional DLL, cryptbase.dll, placed alongside the legitimate application and sideloaded when the 64-bit version of HWMonitor executed.
• This triggered a multistage malware chain using reflective PE loading, XOR decryption, and layered bitwise transformations across five stages, all executed entirely in memory.
• The final payload, identified as STX RAT, contacted the hardcoded C2 domain welcome[.]supp0v3[.]com and transmitted host metadata for victim identification and campaign tracking.

Why the scale of this attack matters

CPUID's tools are not niche utilities; they are the de facto standard for hardware diagnostics across the global technology community. CPU-Z alone has tens of millions of users worldwide. HWMonitor's core user base includes:

• IT professionals and system administrators conducting diagnostics
• Data center engineers validating server thermals
• OEM hardware vendors qualifying new components
• Security researchers running forensic workstations
• Corporate IT departments managing device fleets

The portable (ZIP) version is routinely carried on USB drives and run directly on production machines without installation, reaching environments that block installer-based software. This is not an attack that happened to hit a popular tool. It was almost certainly designed to target exactly this user base. Compromising the CPUID download page is a direct attack on the people most likely to have administrative access, deep system visibility, and credentials worth stealing.

What a successful infection delivers to the threat actor

• Browser credentials and session cookies capable of bypassing MFA
• Persistent remote access via the STX RAT component
• Crypto wallet keys and password manager data
• VPN and FTP credentials enabling lateral movement into enterprise networks
• Victim profile data segmented by campaign tag and referrer software, enabling prioritized follow-on exploitation

A six-hour compromise window on software of this reach represents an infection opportunity that most targeted campaigns never achieve.

Campaign Timeline

• Initial Discovery, April 9, 2026: A Reddit post surfaced raising concerns about potential malware distributed through recent versions of HWMonitor, prompting community discussion and preliminary VirusTotal analysis.
• Compromise Identified: The legitimate CPUID download page (hxxps[://]www[.]cpuid[.]com/softwares/hwmonitor[.]html) was found redirecting users to a malicious package hosted on a Cloudflare R2 bucket.
• Trojanized Package Distributed: Users downloading HWMonitor v1.63 received a compromised archive containing a malicious cryptbase.dll alongside otherwise legitimate components.
• DLL Sideloading and Payload Execution: Upon launching HWMonitor_x64.exe, the malicious DLL was sideloaded, initiating a multi-stage unpacking chain that deployed STX RAT entirely in memory.
• C2 Communication Established: The malware transmitted JSON-formatted victim metadata to the hardcoded C2 server (welcome[.]supp0v3[.]com) for campaign tracking and victim profiling.
• Vendor Acknowledgment (April 9-10): CPUID author Samuel Demeulemeester publicly acknowledged the compromise, confirming that a secondary API was breached for approximately six hours, causing the main website to randomly serve malicious download links. The signed original files were not compromised; the breach has since been remediated.
• Attribution and Correlation: The final payload hash correlates with prior reporting linking it to STX RAT campaigns previously distributed via a fraudulent FileZilla installer.

Technical Analysis

HWMonitor is a widely used hardware monitoring utility that tracks system temperatures, voltages, and fan speeds. Howler Cell began its analysis after a Reddit post surfaced reporting suspected malware distributed through recent versions of HWMonitor.

Through a combination of community discussion (Figure 1), VirusTotal analysis (Figure 2), and official confirmation from CPUID (Figure 3), it was determined that the legitimate download page had been compromised to redirect users to a malicious package hosted on a Cloudflare R2 server. The full URL of the malicious payload is provided below:

hxxp[://]pub-fd67c956bf8548b7b2cc23bb3774ff0c[.]r2[.]dev/hwmonitor_1[.]63[.]zip

Figure 1: Reddit post

Figure 2: VirusTotal Lookup

Figure 3: Vendor's post on X

Upon inspection, the compromised package was found to contain an additional DLL named cryptbase.dll, while all other components appeared legitimate and consistent with the original distribution version 1.63 (see Figures 4 and 5).

Figure 4: Compromised package containing malicious DLL compared to legitimate package v1.63 

Figure 5: Hash check on legitimate and compromised packages 

Upon execution of HWMonitor_x64.exe, the malicious DLL is sideloaded into the process, as evidenced by the Procmon logs captured in Figure 6, triggering the execution of its DllMain entry point. Since the malware relies on DLL search order hijacking, only the 64-bit version of HWMonitor is affected in this attack.

Figure 6: Malicious DLL loaded by HWMonitor_x64.exe 

Cryptbase Analysis

The Cyderes Howler Cell Threat Research Team conducted a technical analysis of the malicious component, cryptbase.dll. The file is a 64-bit DLL module with a timestomped compilation timestamp set to 2077-08-31 05:16:43.

Upon execution within DllMain, the malware spawns a separate thread, which initiates an additional thread responsible for executing the primary malicious payload. This multi-threaded approach is likely employed to release the loader lock. Concurrently, the malware loads the legitimate cryptbase.dll from the System32 directory (Figure 7) and returns TRUE to prevent a deadlock condition.

Figure 7: DllMain thread creation and legitimate module load 

Upon execution, the malware sends JSON-formatted metadata (Table 1) to the hardcoded C2 server (welcome[.]supp0v3[.]com), likely for tracking and profiling campaign victims with campaign ID "tbs." The callback URL registers infected victims as shown in Figure 8. Analysis identified four active campaigns tagged tbs, tbs2, tbs3, and snip. Concurrently, it unpacks a second-stage payload in memory (Figure 9), consisting of a compact shellcode stub designed to execute the reflective PE loader. The referrer field identifies the targeted software package: CPZ for CPU-Z and monitor3 for HWMonitor.

Figure 8: Callback to register victim

Table 1: JSON Metadata Sent to C2