CPU-Z & HWMonitor, cpuid.com, Watering Hole Attack
On April 9, 2026, the cpuid.com website was compromised in a watering hole attack lasting approximately 19 hours. Download URLs for legitimate system administration tools CPU-Z, HWMonitor, HWMonitor Pro, and Perfmonitor 2 were replaced with links to malicious sites distributing trojanized versions. The malicious installers contained legitimate signed executables paired with DLL files named CRYPTBASE.dll that exploited DLL sideloading for C2 communication and payload delivery. Attackers reused infrastructure and code from a March 2026 fake FileZilla campaign, including the STX RAT as the final payload. Over 150 victims were identified globally, primarily individuals but including organizations in retail, manufacturing, consulting, telecommunications and agriculture sectors. The attack demonstrated poor operational security with reused indicators enabling rapid detection.
AI Analysis
Technical Summary
The cpuid.com website was compromised in a watering hole attack where legitimate download URLs for CPU-Z, HWMonitor, HWMonitor Pro, and Perfmonitor 2 were replaced with links to malicious sites distributing trojanized versions of these tools. The malicious installers contained legitimate signed executables combined with a malicious CRYPTBASE.dll that exploited DLL sideloading to perform command and control communication and deliver the STX RAT payload. The attackers reused infrastructure and code from a previous March 2026 fake FileZilla campaign. The attack affected over 150 victims globally, including individuals and organizations in retail, manufacturing, consulting, telecommunications, and agriculture sectors. Detection was facilitated by reused indicators and poor attacker operational security. There is no indication of a patch or vendor advisory, and the service is not cloud-hosted.
Potential Impact
The attack resulted in the distribution of trojanized versions of widely used system administration tools, enabling attackers to execute remote access trojans (STX RAT) on victim systems. This compromises the confidentiality and integrity of affected systems and potentially allows attackers to conduct further malicious activities. Over 150 victims were impacted globally across various sectors. The attack leveraged DLL sideloading to evade detection and maintain persistence. No direct evidence of exploitation beyond the watering hole compromise is provided.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this is a supply chain compromise via the cpuid.com website, users should verify the integrity of downloaded installers from official sources and avoid using downloads from the compromised site during the incident period. Employ endpoint detection and response solutions to identify and remove the STX RAT and related malicious DLLs. Monitor for indicators of compromise related to this campaign as published by trusted threat intelligence sources. No official fix or patch is currently indicated.
Indicators of Compromise
- hash: 053f5c90467dc3ccedb14a18afd63dd6
- hash: 45c2577dbd174292a02137c18e7b1b5a
- hash: a8e6a5d92d3e55d901ace395c281ffa9
- hash: bb66fbe524c1ebd85733711db5ce51bd
- hash: cdc459a866361463d719bc89622300f3
- hash: ff34822b13243c09cbdee05d0410a599
- hash: 02a53d660332c25af623bbb7df57c2aad1b0b91b
- hash: 2f717a77780b8f6b2d853dc4df5ed2b90a3a349a
- hash: 3041a4e2bc5ccefbfd2222a9e23614fb79d6db63
- hash: 4597f546a622ae55e0775cbcc416b3f1dfd096ce
- hash: 4e3195399a9135247e55781ad13226c6b0e86c0d
- hash: 4f3d8c47239bd1585488ce431d931457f101104c
- hash: 6a71656c289201f742787f48398056fcd2aa7274
- hash: 6b49823483889bc1ad152a1be52d1385c4e0affb
- hash: 7c615ce495ac5be1b64604a7c145347adbcd900c
- hash: 8351a43a0c0455e4b0793d841fe12625f072f9b4
- hash: 9253111b359c610b5f95ef33c2d1c06795ab01e9
- hash: a06955d253711385eaa6f5af76fa9fa47bdeb1e9
- hash: ba19e03ca03785e89010672d7e273ac343e4699a
- hash: c417c3a4b094646d06a06103639a5c9faabc9ba4
- hash: c65e515b9c9655c651c939b94574cf39b40a8be2
- hash: d0568eaa55f495fd756fa205997ae8d93588d2a2
- hash: e2464454017cd02a8bc6744596c384cf91cdd67e
- hash: 1da87f0b8f820f4d4ef71c54c239f176bb2af6f18666cbf5b2433ddc4f87e711
- hash: 3e791c88d49ac569bc130fc9f41bd7422b4fd24f32458e11e890647478005a7f
- hash: 49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524
- hash: 66ad4aaf260a5173d8eaa14db52629fd361add8b772f6a4bcc5c10328f0cc3c0
- hash: eefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f
- url: http://welcome.supp0v3.com/d/callback
- url: https://cahayailmukreatif.web.id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe
- url: https://transitopalermo.com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe
- url: https://transitopalermo.com/config/hwmonitor/HWiNFO_Monitor_Setup.exe
- url: https://transitopalermo.com/config/hwmonitor/hwmonitor_1.63.zip
- url: https://vatrobran.hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip
- url: https://vatrobran.hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe
- url: https://vatrobran.hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip
- url: https://vatrobran.hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe
- url: https://welcome.supp0v3.com
- url: https://welcome.supp0v3.com/d/callback
- domain: cahayailmukreatif.web.id
- domain: transitopalermo.com
- domain: vatrobran.hr
- domain: welcome.supp0v3.com
CPU-Z & HWMonitor, cpuid.com, Watering Hole Attack
Description
On April 9, 2026, the cpuid.com website was compromised in a watering hole attack lasting approximately 19 hours. Download URLs for legitimate system administration tools CPU-Z, HWMonitor, HWMonitor Pro, and Perfmonitor 2 were replaced with links to malicious sites distributing trojanized versions. The malicious installers contained legitimate signed executables paired with DLL files named CRYPTBASE.dll that exploited DLL sideloading for C2 communication and payload delivery. Attackers reused infrastructure and code from a March 2026 fake FileZilla campaign, including the STX RAT as the final payload. Over 150 victims were identified globally, primarily individuals but including organizations in retail, manufacturing, consulting, telecommunications and agriculture sectors. The attack demonstrated poor operational security with reused indicators enabling rapid detection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The cpuid.com website was compromised in a watering hole attack where legitimate download URLs for CPU-Z, HWMonitor, HWMonitor Pro, and Perfmonitor 2 were replaced with links to malicious sites distributing trojanized versions of these tools. The malicious installers contained legitimate signed executables combined with a malicious CRYPTBASE.dll that exploited DLL sideloading to perform command and control communication and deliver the STX RAT payload. The attackers reused infrastructure and code from a previous March 2026 fake FileZilla campaign. The attack affected over 150 victims globally, including individuals and organizations in retail, manufacturing, consulting, telecommunications, and agriculture sectors. Detection was facilitated by reused indicators and poor attacker operational security. There is no indication of a patch or vendor advisory, and the service is not cloud-hosted.
Potential Impact
The attack resulted in the distribution of trojanized versions of widely used system administration tools, enabling attackers to execute remote access trojans (STX RAT) on victim systems. This compromises the confidentiality and integrity of affected systems and potentially allows attackers to conduct further malicious activities. Over 150 victims were impacted globally across various sectors. The attack leveraged DLL sideloading to evade detection and maintain persistence. No direct evidence of exploitation beyond the watering hole compromise is provided.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this is a supply chain compromise via the cpuid.com website, users should verify the integrity of downloaded installers from official sources and avoid using downloads from the compromised site during the incident period. Employ endpoint detection and response solutions to identify and remove the STX RAT and related malicious DLLs. Monitor for indicators of compromise related to this campaign as published by trusted threat intelligence sources. No official fix or patch is currently indicated.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/tr/cpu-z/119365/"]
- Adversary
- null
- Pulse Id
- 69dcad85f21975a887da9066
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash053f5c90467dc3ccedb14a18afd63dd6 | — | |
hash45c2577dbd174292a02137c18e7b1b5a | — | |
hasha8e6a5d92d3e55d901ace395c281ffa9 | — | |
hashbb66fbe524c1ebd85733711db5ce51bd | — | |
hashcdc459a866361463d719bc89622300f3 | — | |
hashff34822b13243c09cbdee05d0410a599 | — | |
hash02a53d660332c25af623bbb7df57c2aad1b0b91b | — | |
hash2f717a77780b8f6b2d853dc4df5ed2b90a3a349a | — | |
hash3041a4e2bc5ccefbfd2222a9e23614fb79d6db63 | — | |
hash4597f546a622ae55e0775cbcc416b3f1dfd096ce | — | |
hash4e3195399a9135247e55781ad13226c6b0e86c0d | — | |
hash4f3d8c47239bd1585488ce431d931457f101104c | — | |
hash6a71656c289201f742787f48398056fcd2aa7274 | — | |
hash6b49823483889bc1ad152a1be52d1385c4e0affb | — | |
hash7c615ce495ac5be1b64604a7c145347adbcd900c | — | |
hash8351a43a0c0455e4b0793d841fe12625f072f9b4 | — | |
hash9253111b359c610b5f95ef33c2d1c06795ab01e9 | — | |
hasha06955d253711385eaa6f5af76fa9fa47bdeb1e9 | — | |
hashba19e03ca03785e89010672d7e273ac343e4699a | — | |
hashc417c3a4b094646d06a06103639a5c9faabc9ba4 | — | |
hashc65e515b9c9655c651c939b94574cf39b40a8be2 | — | |
hashd0568eaa55f495fd756fa205997ae8d93588d2a2 | — | |
hashe2464454017cd02a8bc6744596c384cf91cdd67e | — | |
hash1da87f0b8f820f4d4ef71c54c239f176bb2af6f18666cbf5b2433ddc4f87e711 | — | |
hash3e791c88d49ac569bc130fc9f41bd7422b4fd24f32458e11e890647478005a7f | — | |
hash49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524 | — | |
hash66ad4aaf260a5173d8eaa14db52629fd361add8b772f6a4bcc5c10328f0cc3c0 | — | |
hasheefc0f986dd3ea376a4a54f80ce0dc3e6491165aefdd7d5d6005da3892ce248f | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://welcome.supp0v3.com/d/callback | — | |
urlhttps://cahayailmukreatif.web.id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe | — | |
urlhttps://transitopalermo.com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe | — | |
urlhttps://transitopalermo.com/config/hwmonitor/HWiNFO_Monitor_Setup.exe | — | |
urlhttps://transitopalermo.com/config/hwmonitor/hwmonitor_1.63.zip | — | |
urlhttps://vatrobran.hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip | — | |
urlhttps://vatrobran.hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe | — | |
urlhttps://vatrobran.hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip | — | |
urlhttps://vatrobran.hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe | — | |
urlhttps://welcome.supp0v3.com | — | |
urlhttps://welcome.supp0v3.com/d/callback | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincahayailmukreatif.web.id | — | |
domaintransitopalermo.com | — | |
domainvatrobran.hr | — | |
domainwelcome.supp0v3.com | — |
Threat ID: 69dcb11e82d89c981f84024d
Added to database: 4/13/2026, 9:02:22 AM
Last enriched: 4/13/2026, 9:16:49 AM
Last updated: 4/14/2026, 9:26:39 AM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.