CPUID Watering Hole Attack Spreads STX RAT Malware

Watering‑hole attacks remain a potent vector for cyber‑espionage, especially when they target high‑traffic sites that host popular utilities. CPUID, a go‑to resource for hardware enthusiasts, saw its download pages compromised for a brief six‑hour window, redirecting users to malicious domains. The short exposure period still resulted in widespread infection because many users routinely download CPU‑Z and HWMonitor without verifying signatures, underscoring the importance of trusted source verification and the risks inherent in secondary APIs that lack robust security controls.

The technical payload hinged on DLL sideloading, where a counterfeit CRYPTBASE.dll was bundled with legitimate installers. Once executed, the DLL established communication with a command‑and‑control server using a configuration lifted from a March 2026 fake FileZilla campaign. This reuse of infrastructure not only streamlined the attackers’ operations but also made detection easier for defenders familiar with the STX RAT signatures. The layered loader chain delivered a sophisticated remote‑access trojan capable of keylogging, screen capture, and data exfiltration, illustrating how legacy malware can be repurposed for modern threats.

From a business perspective, the incident serves as a cautionary tale for organizations that rely on third‑party software distribution channels. Over 150 victims—spanning individuals to enterprises—were identified, with a concentration in Brazil, Russia and China, highlighting the global reach of such attacks. Security teams should prioritize monitoring DNS queries for anomalous redirects, enforce strict code‑signing verification, and consider sandboxing all downloaded utilities. The CPUID breach reinforces the broader industry imperative: supply‑chain hygiene and rapid incident response are essential to mitigate the cascading effects of even brief, poorly executed watering‑hole campaigns.