CPU-Z & HWMonitor, cpuid.com, Watering Hole Attack
Essential information
- Published
- 13/04/2026 08:47
- Modified
- 13/04/2026 09:16
- Tags
- 2026-04-13 cpu-z cpuid.com cryptbase.dll dll sideloading hwmonitor stx rat supply chain compromise watering hole attack
- Related entities
- 16 observables, 20 techniques (mitre), 2 malware, 11 others
Description
On April 9, 2026, the cpuid.com website was compromised in a watering hole attack lasting approximately 19 hours. Download URLs for legitimate system administration tools CPU-Z, HWMonitor, HWMonitor Pro, and Perfmonitor 2 were replaced with links to malicious sites distributing trojanized versions. The malicious installers contained legitimate signed executables paired with DLL files named CRYPTBASE.dll that exploited DLL sideloading for C2 communication and payload delivery. Attackers reused infrastructure and code from a March 2026 fake FileZilla campaign, including the STX RAT as the final payload. Over 150 victims were identified globally, primarily individuals but including organizations in retail, manufacturing, consulting, telecommunications and agriculture sectors. The attack demonstrated poor operational security with reused indicators enabling rapid detection.