430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CPUID watering hole attack spreads STX RAT malware

Threat actors compromised the CPUID website and spread STX RAT through fake CPU-Z and HWMonitor downloads. Attackers breached the website CPUID and replaced download links for CPU-Z and HWMonitor with malicious files for several hours. Users who downloaded them got infected with the STX RAT, giving attackers remote access to their systems. The short attack […]

cpuid watering hole attack

Threat actors compromised the CPUID website and spread STX RAT through fake CPU-Z and HWMonitor downloads.

Attackers breached the website CPUID and replaced download links for CPU-Z and HWMonitor with malicious files for several hours. Users who downloaded them got infected with the STX RAT, giving attackers remote access to their systems. The short attack window still exposed many users to compromise.

Investigations show attackers compromised a secondary API for about six hours, causing the site to display malicious links. The maintainers of the website confirmed that the original signed files remain safe, and the issue has been fixed.

Kaspersky reported that on April 9, 2026, the CPUID website was compromised, and download links for tools like CPU-Z and HWMonitor were redirected to malicious domains for several hours. Attackers used these sites to distribute infected installers, and Kaspersky published related indicators of compromise.

“We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced” states Kaspersky. “with URLS to the following malicious websites:

  • vatrobran[.]hr.
  • cahayailmukreatif.web[.]id;
  • pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev;
  • transitopalermo[.]com;

Kaspersky found that attackers distributed trojanized CPU-Z and HWMonitor installers with a malicious DLL (“CRYPTBASE.dll”) using DLL sideloading. The DLL handled C2 communication, anti-sandbox checks, and payload delivery, reusing infrastructure from a previous fake FileZilla campaign.

“The interesting part here is that the attackers reused both the C2 address and the connection configuration from the March 2026 campaign where the attackers hosted a fake FileZilla (an open-source FTP client) site distributing malicious downloads.” continues the report. “The configuration embedded in the DLL is presented further. The “referrer” field in the configuration equals “cpz” which tends to be a shorthand for “CPU-Z”.”

The attack ultimately deployed a sophisticated RAT after multiple staged loaders. Attackers reused the known STX RAT, making detection easier thanks to existing rules. Despite compromising a popular software site, they failed to evade detection. Researchers found over 150 victims, mainly individuals but also organizations across multiple sectors, with most cases in Brazil, Russia, and China.

Kaspersky experts advise checking DNS logs and systems for signs of infection.

“Compared to other recently occurred watering hole and supply chain attacks, such as the Notepad++ supply chain attack, the attack on the cpuid.com website was orchestrated quite poorly.” concludes the report. “The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CPUID)