The hardware monitoring tools CPU-Z and HWMonitor which are used by a lot of people were recently involved in a cybersecurity problem. This problem shows how dangerous software supply chain attacks are becoming. In April 2026 some attackers were able to get into CPUID’s official website and replace the real download links with fake ones. For hours people who thought they were downloading trusted tools were actually installing bad software that had a remote access malware called STX RAT. The malicious installers were digitally unsigned or used tampered metadata, which is often a red flag in such attacks.
What is really concerning about this attack is how it looked like the real thing. The installers seemed normal and used similar filenames, icons, and packaging formats (such as NSIS-based installers). Worked like the original tools but they also had a bad part that would run without anyone noticing. The attackers used a trick called DLL side-loading, where they placed a malicious dynamic-link library alongside the legitimate executable. When the program started it would load this file instead of the real system DLL due to Windows’ DLL search order, which would start the infection process and execute attacker-controlled code within a trusted process context.
When the malware was running it did a lot of things to avoid being detected. It did not save everything to the computer’s disk. Instead, it ran in the computer’s memory using reflective loading techniques and injected itself into legitimate processes. It also used encryption (such as AES or XOR-based obfuscation) to hide its payload and communications.
This made it hard for antivirus tools to find it. Eventually it installed STX RAT, which is a powerful remote access trojan that gives attackers a lot of control over infected computers. It establishes persistence through registry run keys or scheduled tasks and communicates with command-and-control (C2) servers over HTTP/HTTPS, often using hardcoded or dynamically resolved domains. With this control they could steal passwords, take over login sessions, capture keystrokes, access clipboard data and even control the computer remotely.
The problem is made worse by how popular CPU-Z and HWMonitor are. These tools are used by a lot of developers, IT professionals and system administrators who often have elevated privileges and access to internal systems. This means that if one of these people downloaded the software it could give attackers a way into a bigger network, enabling lateral movement using stolen credentials or token impersonation. Even though the attack did not last long a lot of people could have been affected because these tools are used all over the world.
It is important to note that the attackers did not change CPUID’s actual software binaries but instead changed the way it was delivered by compromising the website infrastructure or download redirection mechanism. This made the attack harder to find and more effective because traditional integrity checks on the software itself may still pass if users do not verify hashes or digital signatures. This shows a shift in how cyber threats are working, where attackers are targeting the distribution pipeline instead of exploiting vulnerabilities in the software code.
This incident shows that even if you download software from an official website you should not always trust it blindly. People are advised to verify file integrity using SHA256 hashes, check digital signatures, monitor unusual system behavior such as unexpected outbound connections, and change their passwords if they think they might have installed bad software. Security experts also say that people should use endpoint detection and response (EDR) tools, enable application whitelisting, and restrict execution of unsigned binaries to protect their systems.
Overall the CPUID breach shows how attackers are changing their tactics. Instead of trying to force their way into computers they are using trust to their advantage. By turning legitimate tools into delivery mechanisms for malware like STX RAT they are able to bypass traditional defenses and put both individuals and organizations at risk. CPU-Z and HWMonitor are still widely used, but this incident highlights the importance of zero trust principles and continuous verification when downloading and executing software.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
