CPUID HWMonitor Supply Chain Attack (April 2026)

The **CPUID supply chain attack** hijacked the download links on cpuid.com for the popular system utilities CPU-Z and HWMonitor for a short window on April 9-10, 2026, serving trojanized installers that deployed the STX RAT Chrome-password-stealing malware. The incident is notable for short active window (~6-19 hours), rapid community detection, and strong attribution to a longer-running campaign. ## Timeline - **Active malware-serving window**: April 9, 2026 ~15:00 UTC to April 10 ~10:00 UTC — about 6-19 hours of trojanized downloads. - Broader investigation timeline: April 3-10 (per Break Glass Intelligence) covering the preparation phase, breach, and cleanup. - Detection: within hours, triggered by Reddit and X users noticing **wrong filename** (`HWiNFO_Monitor_Setup.exe` vs the expected `hwmonitor_*.exe`) and **Russian installer dialogs**. ## Target **CPUID** is a French software company that makes: - **CPU-Z**: CPU identification, specs, live clock/voltage readout - **HWMonitor**: temperatures, voltages, fan speeds *HWiNFO is a separate product* from a different company. The malware was deliberately named `HWiNFO_Monitor_Setup.exe` to exploit visual similarity and borrow trust from the legitimate HWiNFO brand. ## Initial access Attackers exploited **CVE-2024-38475** — an Apache HTTP Server `mod_rewrite` path traversal vulnerability that allows mapping URLs to filesystem locations not intended to be served, exposing config files. Using this, attackers: - Read Apache configuration files from the cpuid.com web server. - Modified download-link configurations to redirect downloads to an external Cloudflare R2 storage bucket they controlled. - The R2 bucket served the trojanized installers. The official cpuid.com URL structure and web UI were unchanged — users clicking download got a file from Cloudflare R2 instead of cpuid.com's own CDN. ## Malware: STX RAT The deployed malware is STX RAT, documented by eSentire researchers and confirmed by Kaspersky. Architecture: 1. **Inno Setup** installer (Russian-language dialogs) drops legitimate-looking binary + malicious `CRYPTBASE.dll`. 2. **DLL sideloading**: legitimate binary loads the malicious DLL from the same directory. 3. **NTDLL proxying** through a .NET assembly for in-memory execution. 4. **5-stage in-memory attack chain**: anti-analysis, anti-VM, persistence setup, then payload. 5. **C2 callback** to `95.216.51.236:31415` — port 31415 is the digits of pi, possibly deliberate. 6. **Primary objective**: stealing Chrome saved passwords via the **IElevation COM interface** — a technique that extracts passwords without needing the user's Windows login. `CRYPTBASE.dll` is compiled with **Zig** (unusual choice for malware, and a signature). Uses **MSBuild persistence** (launches from `MSBuild.exe` legitimate task) and **IPv6-encoded .NET deserialization** for payload delivery. ## Victim count Kaspersky telemetry: **~150 users worldwide**. Most were individual consumers. Several organisations affected across retail, manufacturing, consulting, telecom, and agriculture. Geographic concentration: Brazil, Russia, China. The low victim count relative to CPUID's download volume reflects the short active window — most users during those hours weren't actively downloading new versions. ## Attribution Strong evidence points to the **same actor as the earlier FileZilla campaign**: - Same C2 infrastructure (95.216.51.236:31415) - Same DLL sideloading + NTDLL proxying pattern - Same Russian-language Inno Setup dialogs - Same installer build characteristics Earliest known related C2 sample (`superbad.exe`) dates from July 2025 — making this a 10-month campaign. Staging domain `welcome.supp0v3.com` registered Oct 29, 2025 through CNOBIN (Chinese registrar in Hong Kong). Hosting via offshore Caribbean infrastructure. The related domain `rnetopera.org` appears to impersonate the Opera browser distribution (plausible future-campaign infrastructure). ## Threat actor assessment - **Russian-language** dialogs — could be misdirection, not necessarily Russian operators. - Likely financially motivated, possibly an initial access broker monetizing the RAT-installed endpoints for re-sale. - **Kaspersky assessed OPSEC as LOW**: got caught within hours; multiple identification clues left (filename mismatch, Russian dialogs, distinctive C2 pattern). - Multi-jurisdictional infrastructure (Russian language → Hong Kong registrar → Caribbean hosting → Cloudflare R2 US storage) complicates prosecution. ## Response and detection - CPUID took the hijacked config down within hours of community reports. - Kaspersky and eSentire published IOCs within days. - Break Glass Intelligence published the investigation timeline. - Snort and Yara signatures became available within a week. ## What to check if you downloaded April 9-10 - Downloaded filename: legitimate is `cpuz_X.XX-en.exe`; malicious is `HWiNFO_Monitor_Setup.exe`. - Installer language: English on legitimate; Russian dialogs on malicious. - Scan for STX RAT signatures (AV vendors have signatures since ~April 11). - Check Chrome saved passwords for unauthorized changes; rotate any that were saved there. - Block 95.216.51.236:31415 at firewall. ## Related patterns - **Similar to LiteLLM supply chain attack** but smaller scale (150 victims vs 97M monthly downloads of the affected LiteLLM package). - **Broader trend**: AI-assisted vulnerability discovery (see Claude Mythos Reward Hacking Behaviors) is lowering the cost of finding initial access vectors like CVE-2024-38475, strengthening the defensive case for programs like Project Glasswing. - **Consumer trust assumptions** break down at the distribution layer: HTTPS to a known domain is insufficient when the server's Apache config has been rewritten.