CPUID Supply Chain Breach: How STX RAT Hijacked CPU-Z & HWMonitor — A Wake-Up Call for Saudi Data Centers

On April 9, 2026, threat actors silently compromised the official CPUID website — home of the widely trusted CPU-Z and HWMonitor tools — and replaced legitimate download links with trojanized packages delivering STX RAT. The window was short (roughly six hours), but the blast radius is still being measured: over 150 confirmed victims across multiple continents, with infrastructure that traces back to a deliberate campaign running since at least November 2025. For Saudi financial institutions and data center teams, this is not a distant story.

What Happened: Six Hours That Compromised a Trusted Download Channel

CPUID is the French software company behind CPU-Z and HWMonitor — two of the most widely installed hardware diagnostics and monitoring utilities in the world. System administrators, IT engineers, and data center operators routinely use these tools on servers, workstations, and trading infrastructure. On April 9, 2026, at approximately 15:00 UTC, attackers gained access to a backend API on cpuid.com and modified download links to point to malicious installers hosted on attacker-controlled Cloudflare R2 storage. The legitimate, digitally signed CPUID binaries were preserved inside the malicious archive to avoid triggering suspicion — but bundled alongside them was a weaponized CRYPTBASE.dll. When the user launched CPU-Z or HWMonitor, Windows' DLL search order loaded the attacker's DLL first, executing the malicious payload silently. CPUID detected and remediated the issue by approximately 10:00 UTC on April 10, but not before thousands of downloads had been served.

Inside STX RAT: Capabilities and Command-and-Control

STX RAT is a capable, multi-stage remote access trojan that establishes an encrypted channel to attacker infrastructure hosted on Cloudflare R2 — a deliberate choice to blend C2 traffic into legitimate cloud traffic patterns and evade network-layer inspection. Upon execution, STX RAT delivers an encrypted shellcode first stage that phones home to retrieve a second-stage payload disguised as a JPG image. From there, the implant provides full remote shell access, file exfiltration, keylogging, screenshot capture, and credential harvesting from browsers and Windows Credential Manager. Threat intelligence linkage places this campaign's infrastructure — including registered C2 subdomains — as far back as November 2025, confirming this was a planned, targeted operation rather than an opportunistic defacement. The same adversary infrastructure overlaps with a fake FileZilla distribution campaign identified in March 2026, suggesting an active and methodical threat actor with a pattern of hijacking trusted software channels.

The DLL Hijacking Technique: Why Endpoint Security Often Misses It

The attack leveraged a well-documented but persistently effective technique: DLL search order hijacking via CRYPTBASE.dll. When a Windows executable launches, the operating system searches for DLLs in a predictable order — starting with the application's own directory before moving to system paths. By placing a malicious DLL with the same name as a legitimate system library in the same folder as the CPUID executable, the attacker guaranteed execution every time the tool was launched. Because the malicious DLL is loaded by a signed, trusted binary, many endpoint detection and response (EDR) solutions that rely on parent-process reputation or binary signing as a primary signal fail to flag the activity. This is precisely why supply chain attacks of this type are classified as high-severity: the initial execution vector is clean by every superficial measure.

Why Saudi Financial Institutions Are Exposed

CPU-Z and HWMonitor are not niche utilities — they are installed on servers, virtual machine hosts, and network appliances in data centers across Saudi Arabia's banking sector. Engineers use HWMonitor to track thermal performance of core banking servers, UPS health, and storage array temperatures. The SAMA Cyber Security Framework (CSCC) Domain 3 (Technology Security) and NCA ECC-2: 3-3 (Asset and Configuration Management) both require organizations to maintain verified software inventories and validate the integrity of software obtained from external sources. A trojanized monitoring tool downloaded directly from what appeared to be the legitimate vendor site represents a direct failure point in that control chain. Furthermore, PDPL Article 21 requires organizations to implement appropriate technical safeguards against unauthorized data access — an implanted RAT silently exfiltrating credentials or screenshots of financial dashboards is a clear exposure under this standard. SAMA's threat intelligence sharing requirements under CSCC Domain 4 (Operational Resilience) also mean that any confirmed compromise in a SAMA-regulated entity must be assessed for reporting obligations.

Recommended Actions for Saudi IT and Security Teams

1. Audit downloads from April 9–10, 2026. Check software asset management logs, endpoint deployment records, and user-initiated downloads for any CPUID tools (CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor) installed between 15:00 UTC April 9 and 10:00 UTC April 10. Flag any endpoint where these tools were installed or updated during that window.
2. Hunt for CRYPTBASE.dll in non-system directories. Run an EDR or endpoint query for CRYPTBASE.dll files located anywhere outside C:\Windows\System32. Any instance in an application or user-writable directory should be treated as a confirmed indicator of compromise (IoC) pending further investigation.
3. Check for STX RAT C2 traffic. Review proxy, firewall, and DNS logs for connections to Cloudflare R2 buckets and any domains associated with this campaign. Threat intelligence feeds from CISA, SANS ISC, and regional CERT-SA should be cross-referenced for the latest IoC list.
4. Re-image affected endpoints. If CPUID tools matching the compromise window are found, assume full system compromise. Re-image from a known-clean baseline, rotate all credentials accessible from that endpoint (Windows accounts, VPN certificates, browser-stored passwords), and review any privileged sessions that originated from the affected machine.
5. Enforce software allowlisting and hash validation. Implement application allowlisting controls that verify installer hashes against vendor-published values before execution. For software without published hashes, validate file integrity via a secondary out-of-band channel (e.g., vendor email, PGP-signed release notes) before deployment in production environments.
6. Review vendor software sourcing policies under CSCC D3. Use this incident as a trigger to formally review your organization's third-party software procurement procedure. Define approved download sources, require hash verification at point of download, and log all software installations in your CMDB with provenance metadata.

Conclusion

The CPUID compromise is a textbook example of why supply chain integrity controls cannot be treated as optional. The attacker did not need a zero-day, did not need to breach a network perimeter, and did not need to bypass multi-factor authentication. They simply replaced a trusted download on a trusted website for six hours — and that was enough. For Saudi financial institutions operating under SAMA CSCC, NCA ECC, and PDPL, this incident is a concrete reminder that every software installation is a trust decision, and trust without verification is a vulnerability.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a supply chain security review aligned to CSCC Domain 3 controls.