CPUID Supply Chain Attack: How STX RAT Hijacked CPU-Z and HWMonitor — A Warning for Saudi Financial IT Teams

On April 9, 2026, at 15:00 UTC, an unknown threat actor quietly compromised the backend infrastructure of CPUID — the French software company behind CPU-Z and HWMonitor, two of the most widely installed hardware diagnostic utilities on corporate endpoints worldwide. For roughly 19 hours, every download of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor from the official CPUID website delivered not the expected tool, but a Remote Access Trojan named STX RAT. By the time CPUID restored clean downloads on April 10 at 10:00 UTC, over 150 confirmed victims had been identified across multiple industries — and the actual count is almost certainly higher.

What Happened: A Surgical Supply Chain Compromise

The attack was not a brute-force website defacement. Investigators at CYDERES and Rescana found that the threat actor compromised a CPUID backend API to silently redirect download links. Victims who visited the official website, clicked a legitimate-looking download button, and verified the URL were still served weaponized installers. The trojanized files were carefully constructed: they contained a genuine, digitally signed CPUID executable alongside a malicious DLL named CRYPTBASE.dll placed in the same directory. When the user launched the installer, Windows loaded CRYPTBASE.dll first — a classic DLL sideloading technique that requires no administrative rights and triggers no obvious UAC prompt.

Once executed, STX RAT established persistence and connected to a command-and-control server. The RAT's capabilities are broad: in-memory execution of EXE, DLL, PowerShell, and shellcode payloads; reverse proxy and tunneling for covert lateral movement; full desktop interaction; and mechanisms for deploying follow-on malware. Threat intelligence teams at Bellatorcyber and Security Affairs noted that the C2 infrastructure and connection configuration overlapped with a prior campaign that weaponized trojanized FileZilla installers — pointing to a Russian-speaking threat actor operating either for direct financial gain or as an initial access broker (IAB) selling footholds to ransomware affiliates.

Why CPU-Z and HWMonitor Are Ubiquitous in Financial IT Environments

CPU-Z and HWMonitor are free, lightweight, and require no installation — qualities that make them a staple on the workstations and servers of IT administrators, help desk engineers, and infrastructure teams in banks, insurance companies, and financial market operators. They are routinely used to audit hardware specifications before system upgrades, validate server configurations during procurement, and troubleshoot performance degradation on trading floor endpoints. Unlike enterprise software governed by formal procurement and change management processes, these tools are often downloaded ad hoc from the developer's website — exactly the trust assumption the attacker exploited.

In the Saudi financial sector, where SAMA's Cyber Security Framework mandates documented software asset management and NCA ECC Article 2-11 requires controls over executable code introduced to the environment, the use of unmanaged freeware on production-adjacent systems represents a measurable compliance gap. The CPUID incident makes that gap tactically real.

Implications for Saudi Financial Institutions Under SAMA and NCA

The CPUID attack is a textbook illustration of a threat vector that both SAMA CSCC Domain 3 (Cybersecurity Operations) and NCA ECC-1: 2-11 (Application Security and Change Management) seek to address. SAMA-regulated entities are expected to maintain an approved software catalogue, enforce application whitelisting on sensitive systems, and vet third-party software through a formal risk assessment before deployment. An IT administrator downloading CPU-Z directly from a vendor website — even a reputable one — bypasses these controls entirely if the procurement and approval workflow is not enforced at the endpoint level.

From a PDPL perspective, if STX RAT established persistence on a machine with access to customer financial data or employee PII, the organization faces a potential personal data breach notification obligation under Article 25 of the Personal Data Protection Law. The 72-hour-equivalent notification expectation to the National Data Management Office (NDMO) applies if exfiltration cannot be ruled out — and given STX RAT's full in-memory execution capabilities, ruling out exfiltration without a proper forensic investigation is not defensible.

Detecting STX RAT: Indicators and Hunting Queries

Security teams should immediately check for the following indicators across EDR telemetry, SIEM logs, and proxy/DNS records from the April 9–10 window:

1. DLL sideloading from user-writable directories: Hunt for CRYPTBASE.dll loaded from paths outside C:\Windows\System32, particularly from %TEMP%, %APPDATA%, or any directory where CPU-Z/HWMonitor was extracted.
2. Process lineage: Look for cpuz_x64.exe, HWMonitor_x64.exe, or similar spawning unexpected child processes, PowerShell sessions, or network connections.
3. C2 overlap with prior FileZilla campaign: Cross-reference outbound connections against threat intelligence feeds for the C2 IP ranges published by CYDERES and Rescana in their April 13 advisories.
4. Persistence mechanisms: Check scheduled tasks, Run keys, and WMI subscriptions created around the April 9–10 timeframe on machines where CPU-Z or HWMonitor was recently executed.
5. Hash verification: Compare SHA-256 hashes of any CPU-Z or HWMonitor binaries in your environment against the clean hashes published by CPUID post-incident. A mismatch on binaries dated April 9–10 is definitive.

Immediate Recommendations

1. Audit and quarantine: Identify all machines where CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor was downloaded or executed between April 9, 15:00 UTC and April 10, 10:00 UTC. Quarantine those machines pending forensic review.
2. Enforce application whitelisting: Deploy allowlisting controls (CrowdStrike Falcon, Carbon Black App Control, or Windows Defender Application Control) to prevent unsigned or non-catalogue executables from running on IT administrator workstations and jump servers.
3. Centralize freeware procurement: Establish an internal mirror or approved download repository for commonly used diagnostic utilities. All downloads should be hash-verified against the vendor's published values before distribution to endpoints.
4. Review third-party software risk assessments: Under SAMA CSCC Domain 4 and NCA ECC Article 2-14, third-party software — including freeware — should be subject to a lightweight risk assessment before deployment. Formalize this for tools commonly used by IT operations teams.
5. Test your incident response playbook for supply chain scenarios: The CPUID incident lasted under 24 hours. If your SOC cannot detect anomalous DLL loads and unexpected C2 beaconing within that window, your detection coverage has a gap worth closing before a more prolonged campaign exploits it.

Conclusion

The CPUID supply chain attack is a reminder that threat actors do not always need to compromise your network perimeter directly. Sometimes they compromise the tools your engineers trust implicitly — tools downloaded from official websites, with legitimate vendor branding, and without any obvious warning signs. For Saudi financial institutions operating under SAMA CSCC and NCA ECC, this incident is both a compliance signal and a practical operations test. The organizations that will weather these attacks are those that have already operationalized software asset management, application whitelisting, and supply chain risk controls — not as checkbox exercises, but as living detection and response capabilities.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and supply chain risk review tailored to the Saudi financial sector.