CPUID Site Breach Planted RAT in CPU-Z Downloads

What Happened

Between approximately 15:00 UTC on April 9 and 10:00 UTC on April 10, 2026, unknown threat actors compromised cpuid.com — the official distribution site for widely used hardware diagnostic tools including CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor. During that roughly 19-hour window, visitors who downloaded any of these tools received trojanized executables containing STX RAT, a remote access trojan that gives attackers persistent, covert control over an infected machine.

CPUID's tools are staples in IT shops, managed service provider toolkits, and the personal collections of technically inclined users everywhere. CPU-Z alone has been downloaded hundreds of millions of times over its lifetime. The attackers didn't need to crack individual systems — they simply poisoned a trusted source and let victims come to them.

The original report was published by The Hacker News.

Why This Attack Pattern Is So Effective

This is a classic watering hole supply chain attack. Rather than targeting victims individually, attackers compromise a resource their targets already trust and visit regularly. Hardware diagnostic utilities like CPU-Z and HWMonitor are especially attractive targets because they are disproportionately downloaded by IT administrators, network technicians, and power users — exactly the accounts with elevated privileges that attackers want to control.

The 19-hour window is deceptively short. In practice, that's enough time to infect anyone who downloaded a tool during a routine system audit, a new workstation setup, or a troubleshooting session. And because the download came from the legitimate domain with no obvious warning signs, most endpoint users and even some security tools would not have flagged the installation as suspicious at the time.

STX RAT, once deployed, is designed for persistence. Remote access trojans of this class typically enable keylogging, screen capture, file exfiltration, lateral movement, and the ability to drop additional payloads. A single infected machine inside a small business or medical practice network is a foothold, not an endpoint. The real damage often unfolds weeks or months later.

What This Means for Your Practice or Business

For healthcare practices and tax professionals: Your exposure risk is higher than average if your IT staff or any technically capable employee routinely uses hardware diagnostic tools. A compromised technician workstation — even one that doesn't store patient records or tax data directly — can serve as a pivot point into systems that do. HIPAA and IRS data security standards both require you to investigate and document suspected breaches, even when the initial infection vector is an IT utility rather than a clinical or financial application.

For small business owners: If you rely on a managed service provider or in-house IT person who might have run one of these tools during the compromise window, ask them directly. A good MSP will already be auditing this. If yours hasn't reached out, that's a conversation worth initiating today.

For all users: This incident is a timely reminder that trusted sources can be temporarily untrustworthy. A green padlock and a familiar domain name are not sufficient indicators of safety when the site itself has been compromised at the file-serving layer.

Defensive Actions to Take Now

• Audit recent downloads. Check browser download history and IT ticketing logs for any CPUID tool downloads between April 9–10, 2026.
• Scan affected machines. Use an updated endpoint detection and response (EDR) tool to scan any machine where these downloads occurred. Look specifically for STX RAT indicators of compromise (IoCs), which security vendors are actively publishing.
• Review persistence mechanisms. On suspect machines, examine scheduled tasks, startup folders, and registry run keys for anything anomalous added around the time of the download.
• Rotate credentials. Any passwords typed or stored on a potentially infected machine should be treated as exposed. Prioritize admin accounts, email, VPN, and any accounts with access to sensitive data.
• Implement download controls going forward. Consider restricting software downloads to IT-approved sources and requiring hash verification for third-party utilities before installation. Many EDR platforms and application control tools support this natively.
• Enable multi-factor authentication everywhere. Even if credentials were captured, MFA significantly limits what an attacker can do with them remotely.

CPUID has since restored clean downloads, but the incident underscores an uncomfortable reality: the tools we use to keep systems healthy can themselves become vectors when their distribution infrastructure is targeted. Operational vigilance — including asking where software comes from and when it was downloaded — is part of a mature security posture at any organization size.