🎯Basically, a website users trusted was hacked to spread malware, but a security tool stopped it.
What Happened
On April 9, 2026, the official download site for CPU-Z, cpuid.com, was compromised. Threat actors redirected legitimate download requests to their own malicious infrastructure, serving malware disguised as the genuine software. This attack lasted approximately 19 hours, affecting users who trusted the site.
Who's Affected
The attack primarily targeted CPU-Z users, a popular tool among IT professionals, including system administrators and developers. With tens of millions of users globally, the potential victim count could be significantly higher than the 150+ confirmed victims reported.
What Data Was Exposed
The malware delivered through this attack was the STX RAT, which provided attackers with remote access to infected machines. This allowed them to steal credentials, access cryptocurrency wallets, and execute commands invisibly. The impact was particularly severe for users with administrative privileges, as their compromised accounts could lead to significant breaches within organizations.
What You Should Do
Organizations should take immediate action:
Do Now
- 1.Check for CRYPTBASE.dll in unexpected directories.
- 2.Monitor for the process chain involving cpuz_x64.exe and PowerShell.
Do Next
- 3.Block known malicious domains and IPs at DNS and firewall levels.
- 4.Ensure thorough remediation of all persistence mechanisms if an infection is detected.
The Threat
This incident highlights a broader trend in software supply chain attacks, where trusted developers become vectors for attacks. The behavioral detection employed by SentinelOne was crucial in identifying the malicious activity, even when the software appeared legitimate.
Who's Behind It
While the specific threat actor remains unidentified, the attack shares similarities with previous campaigns, such as the GhostAction campaign, which exploited compromised developer accounts.
Tactics & Techniques
The attackers used sophisticated techniques, including:
- Reflective code loading to execute malicious code without leaving traces on disk.
- Process injection to hide their activities within legitimate processes.
- DNS-over-HTTPS to evade detection by traditional monitoring systems.
Defensive Measures
To protect against such threats, organizations should implement: This incident serves as a stark reminder of the vulnerabilities in the software supply chain and the necessity of robust security measures to defend against evolving threats.
Do Now
- 1.Autonomous behavioral monitoring to detect anomalies in software behavior.
- 2.Regular updates and security patches for all software tools.
Do Next
🔒 Pro insight: The reuse of C2 infrastructure by attackers underscores the need for continuous monitoring and adaptive defenses in supply chain security.
