CPUID Software Downloads Compromised, Delivered STX RAT Malware

Executive Summary

A threat actor compromised the download infrastructure of CPUID, a provider of system information tools like CPU-Z, for approximately six hours between April 9 and April 10, 2026. During this window, visitors to the legitimate CPUID website were randomly served malicious links that delivered the STX RAT (Remote Access Trojan) instead of the expected software. The company stated its primary, signed software files were not tampered with, indicating a targeted compromise of a secondary feature or API used to serve download links.

Technical Analysis

According to CPUID's statement, the compromise affected a "secondary feature (basically a side API)" integral to the download process. This suggests the threat actor did not achieve a full website takeover or breach the core file repository. Instead, they manipulated the mechanism that generates download links for users. For a limited period, this API returned malicious URLs, redirecting victims to attacker-controlled infrastructure. The exact initial access vector used to compromise this API remains unclear, as investigations are ongoing. The final payload delivered was identified as the STX RAT, a .NET-based remote access trojan capable of keylogging, screen capture, file exfiltration, and executing arbitrary commands on the infected host.

Tactics, Techniques & Procedures

The incident demonstrates a supply-chain compromise tactic, where attackers target a trusted software vendor to distribute malware to a broad user base. The primary technique appears to be compromise of a software development or distribution channel (T1195.002), specifically by hijacking the download API. This allowed for drive-by compromise (T1189) behavior, where any user attempting a normal download became a potential victim without requiring further interaction. The use of a fully-featured RAT like STX indicates the goal was sustained remote access and espionage, aligning with techniques under Remote Services (T1021) and Data Collection (TA0009).

Threat Actor Context

No specific threat actor group has been attributed to this attack at this time. The operational security displayed—a narrow, six-hour compromise window targeting a specific API—suggests a calculated approach intended to maximize impact while minimizing detection. The choice of a general-purpose RAT does not point to a particular espionage or ransomware group, though the tactic is consistent with both cybercriminal and state-aligned actors seeking initial footholds in victim networks.

Mitigations & Recommendations

Users who downloaded CPUID software during the affected period should immediately scan their systems with updated antivirus software and consider the system potentially compromised. The primary mitigation is to verify the digital signature of any installed CPUID executable. Legitimate files from the vendor are signed; unsigned files or files with invalid signatures should be removed. Organizations should treat any system with software downloaded during the incident window as suspect and monitor for anomalous network connections or processes. CPUID has stated the issue has been resolved, but users should only re-download software directly from the official CPUID website after confirming its integrity.