Ddos 
In the world of system administration, few tools are as ubiquitous as CPU-Z and HWMonitor. These utilities are the “old reliables” for monitoring hardware health. However, on April 9, 2026, that trust was weaponized.
Kaspersky Labs has revealed a sophisticated watering hole attack targeting cpuid[.]com, the official home for these popular tools. For a brief but dangerous window, the “well” was poisoned, and anyone looking for a quick system check-up might have walked away with a lot more than they bargained for.
The compromise was short-lived but impactful. According to the analysis, starting at “approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers… have been replaced with URLs” to malicious domains.
The attackers specifically targeted the following software versions:
- CPU-Z (version 2.19)
- HWMonitor Pro (version 1.57)
- HWMonitor (version 1.63)
- PerfMonitor (version 2.04)
Users who visited the site during this time weren’t downloading from CPUIDβs servers, but were instead redirected to a series of rogue sites, including cahayailmukreatif.web[.]id and transitopalermo[.]com.
The attack didn’t rely on complex exploits to run; it used the classic DLL Sideloading technique. The malicious packagesβdistributed as both ZIP archives and standalone installersβlooked legitimate because they were mostly legitimate.
As Kaspersky explains, “These files contain a legitimate signed executable for the corresponding product and a malicious DLL which is named ‘CRYPTBASE.dll'”. When the user runs the signed CPU-Z executable, the program automatically loads the malicious DLL sitting in the same folder, giving the attacker immediate code execution under a trusted process name.
The loader initially performs anti-sandbox checks to ensure it isn’t being watched by researchers. If the coast is clear, it deploys a sophisticated Remote Access Trojan (RAT). However, this RAT wasn’t a new creation. Kaspersky noted that “the adversary decided to reuse the so-called ‘STX RAT’ reported by Esentire, thus making one more mistake”.
Because they used a known tool, the final stage of the attack was “fully detected by the YARA rules provided in the eSentire article”. It is a stark reminder that even high-effort compromises can be undermined by recycled malware.
Telemetric data suggests that the majority of the 150+ identified victims were individuals. However, the net was wide enough to catch several larger fish. Organizations across the retail, manufacturing, consulting, telecommunications, and agriculture sectors were also hit. Geographically, the most frequent infections were concentrated in Brazil, Russia, and China.
If your team downloaded any tools from the CPUID website on April 9 or 10, you should act immediately. Kaspersky recommends the following steps:
- Examine DNS Logs: Look for connections to the malicious domains used in the redirect.
- Audit Filesystems: Search for the presence of “CRYPTBASE.dll” in folders containing CPU-Z or HWMonitor.
- Check for STX RAT: Use the publicly available eSentire YARA rules to scan for the final stage implant.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
