The CPUID website, popular in the PC hardware community, was recently hacked and altered to deliver malicious versions of CPU-Z, HWMonitor, and PerfMonitor.
CPU-Z, HWMonitor, and PerfMonitor provide essential PC hardware insights: CPU-Z delivers detailed system information on the processor, motherboard, memory, and graphics; HWMonitor monitors real-time sensor data such as voltages, temperatures, and fan speeds; and PerfMonitor tracks processor performance. The applications, used by individuals and enterprises, have millions of downloads.
According to the maintainer of CPUID, a secondary feature (side API) was compromised, causing the website to randomly display links to third-party domains hosting trojanized versions of CPU-Z, HWMonitor, and PerfMonitor. The original files were not affected.
Kaspersky has also analyzed this supply chain and watering hole attack, noting that during the compromise window the CPUID website served malicious installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor.
The security firm has identified over 150 victims, mostly individuals but also organizations in sectors such as manufacturing, retail, telecoms, consulting, and agriculture. Kaspersky saw most infections in Brazil, China, and Russia, but it’s worth noting that the company has limited visibility in North America and Europe.
The attackers served both ZIP archives and standalone installers that delivered the legitimate software along with a malicious file (cryptbase.dll) loaded via DLL sideloading.
The ultimate goal is to distribute a recently discovered Windows malware tracked as STX RAT, which enables attackers to take control of the compromised machine and steal information such as browser credentials, cryptocurrency wallets, and FTP client passwords.
CPUID’s maintainer said the incident occurred on April 10, and the website was compromised for roughly six hours, between 00:00 and 06:00 GMT.
However, Kaspersky saw a longer window of compromise, between April 9, 15:00, and April 10, 10:00 GMT.
Researchers at Breakglass Intelligence have linked this incident to a recent attack involving trojanized versions of the FileZilla software and reported that the CPUID attack was part of a 10-month campaign.
Breakglass, which believes a Russian-speaking threat actor is behind the operation, has found evidence suggesting that the CPUID attack actually began on April 3.
Related: Guardarian Users Targeted With Malicious Strapi NPM Packages
Related: North Korean Hackers Target High-Profile Node.js Maintainers
Related: Mercor Hit by LiteLLM Supply Chain Attack
