CPU-Z Watering Hole Attack Compromises CPUID Domain, Serves Trojanized Binaries for 19 Hours
Threat actors compromised CPUID's download API on April 9, 2026, serving trojanized CPU-Z, HWMonitor, and PerfMonitor binaries through the official download button for 19 hours, with SentinelOne's AI EDR autonomously blocking the attack.
On April 9, 2026, cpuid.com was actively serving malware through its own official download button. Threat actors had compromised the CPUID domain at the API level and were silently redirecting legitimate download requests to attacker-controlled infrastructure. The attack ran for approximately 19 hours. Users who navigated directly to the official site received a legitimate, properly signed binary with a malicious payload bundled inside it.
SentinelOne's behavioral detection flagged an anomaly inside cpuz_x64.exe within seconds of execution. The binary was genuine, the digital signature was valid, and the download had arrived from the vendor's own infrastructure. The process chain cpuz_x64.exe began constructing was the tell: it spawned PowerShell, which spawned csc.exe, which spawned cvtres.exe. CPU-Z does not do that. The agent autonomously terminated and quarantined the involved processes before the attack advanced further.
The trojanized packages were designed to leave no trace. A reflective PE loader decrypted and injected a second-stage DLL using XXTEA encryption and DEFLATE decompression, with no disk writes and no file artifacts. Three redundant persistence mechanisms were installed: a registry Run key, a 68-minute scheduled task with a 20-year duration, and MSBuild project files in AppData\Local engineered to survive reboots and partial remediation. The final payload, STX RAT, delivered hidden VNC providing an attacker-controlled desktop session, keyboard and mouse injection, browser credential theft across Chrome, Firefox, Edge, and Brave, Windows Vault extraction, cryptocurrency wallet access, and a reverse proxy for follow-on payload delivery. C2 communication ran over a custom encrypted protocol using DNS-over-HTTPS to 1.1.1.1 to bypass DNS monitoring.
The incident highlights a systemic shift where trusted software distribution infrastructure becomes the attack vector. SentinelOne's Annual Threat Report identifies exactly this pattern: "This shift extends deeply into the software supply chain, where the identity of a trusted developer becomes the vector of attack." In late 2025, the GhostAction campaign saw a compromised GitHub maintainer account push malicious workflows to extract secrets, and a concurrent phishing attack against a maintainer of popular NPM packages deployed malicious code capable of intercepting cryptocurrency transactions. The CPUID incident extends this pattern to software distribution itself: the supplier's download infrastructure became the delivery channel.
Kaspersky's analysis linked the CPUID samples to a March 2026 campaign targeting FileZilla users within hours. The attacker reused the identical C2 infrastructure and deployed the unmodified STX RAT payload, the same one eSentire's Threat Response Unit had already fingerprinted and published YARA rules for after the FileZilla campaign. Those rules detected the CPUID variant without modification. The actor invested time compromising CPUID's download API and did nothing to retool after being publicly fingerprinted. The C2 domain, the backend server, the payload: all identical across campaigns. The same backend server had been operating since at least July 2025.
CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor are staples in IT toolkits. The users who downloaded them followed every instruction they'd been given. The trust chain broke above them. The next attack will work the same way. A reflective payload executing entirely in memory, inside a signed process, with no disk writes, compresses the detection window to milliseconds. Autonomous response is the only response fast enough.