Analyzing the CPUID Watering Hole: STX RAT Distribution via Trojanized System Tools
Executive Summary
On April 9, 2026, threat actors successfully executed a high-impact watering hole attack targeting the official CPUID website, a primary source for popular system diagnostic utilities like CPU-Z and HWMonitor. By compromising a secondary API feature, the attackers were able to manipulate download links for approximately 19 hours, redirecting unsuspecting users to malicious domains. These domains served trojanized installers that deployed the STX Remote Access Trojan (RAT) through sophisticated DLL sideloading techniques.
SecLookup’s threat intelligence platform was actively monitoring this infrastructure and had already flagged the primary distribution domains as malicious, protecting our users from potential compromise. This post provides a technical deep dive into the campaign’s TTPs, the malware’s execution chain, and comprehensive indicators of compromise (IOCs).
Threat Analysis: The CPUID Compromise
The attack on CPUID represents a classic watering hole strategy, where attackers compromise a trusted site frequently visited by their target demographic—in this case, IT professionals, gamers, and system administrators.
Initial Access and Redirection
According to investigations by the CPUID maintainers and external researchers, the breach occurred through a "secondary feature" or side API. Between April 9 at 15:00 UTC and April 10 at 10:00 UTC, this compromised API caused the main website to intermittently display download links pointing to external, malicious infrastructure rather than the legitimate CPUID servers.
The attackers utilized several domains for hosting the malicious payloads, including:
vatrobran[.]hrcahayailmukreatif.web[.]idtransitopalermo[.]compub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev(Cloudflare R2 storage)
STX RAT Execution via DLL Sideloading
The redirected download links provided users with what appeared to be standard installers for CPU-Z or HWMonitor. However, these installers were trojanized. The primary mechanism for infection was DLL Sideloading (MITRE ATT&CK T1574.002).
The malicious package included a legitimate, signed application alongside a rogue DLL named CRYPTBASE.dll. When the legitimate executable is launched, it attempts to load the necessary CRYPTBASE.dll from its local directory before searching system folders. The malicious version of the DLL contained the STX RAT payload and was responsible for:
Anti-Analysis Checks: The DLL performed checks to determine if it was running in a sandbox or virtualized environment.
Persistence: Establishing hooks into the system to ensure the RAT survived reboots.
C2 Communication: Connecting back to attacker-controlled infrastructure to receive commands.
Infrastructure Reuse
A notable finding in this campaign is the reuse of infrastructure. The C2 addresses and distribution patterns identified in this attack overlap significantly with previous campaigns distributing fake FileZilla installers. This suggests that the threat actor behind this campaign is either part of an established cybercrime syndicate or is utilizing a "malware-as-a-service" (MaaS) kit that includes pre-configured infrastructure.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1189 | Drive-by Compromise (Watering Hole) |
| Execution | T1204.002 | User Execution: Malicious File |
| Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion |
| Command and Control | T1071.001 | Web Service: Application Layer Protocol |
| Command and Control | T1219 | Remote Access Software |
SecLookup Detection
SecLookup’s proactive threat hunting engine identified the malicious nature of the redirect domains shortly after the campaign began. Our platform confirmed that cahayailmukreatif.web.id was associated with malware distribution.
Indicators of Compromise (IOCs)
Domains
cahayailmukreatif.web.id
vatrobran.hr
transitopalermo.com
pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev
File Hashes (MD5/ID)
45c2577dbd174292a02137c18e7b1b5a
Detection Rules
YARA Rules
The following rules can be used to scan for the malicious DLL and trojanized installers within your environment.
rule STX_RAT_CPUID_Malicious_DLL {
meta:
description = "Detects malicious CRYPTBASE.dll used in the CPUID watering hole attack to sideload STX RAT"
author = "Threat Intel Analysis"
date = "2024-05-22"
reference = "CPUID Watering Hole Attack"
strings:
$dll_name = "CRYPTBASE.dll" ascii wide
$domain1 = "vatrobran.hr" ascii wide
$domain2 = "cahayailmukreatif.web.id" ascii wide
$domain3 = "transitopalermo.com" ascii wide
$domain4 = "pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev" ascii wide
condition:
uint16(0) == 0x5A4D and (\(dll_name and 1 of (\)domain*))
}
rule CPUID_Trojanized_Installer_Indicators {
meta:
description = "Detects strings related to trojanized CPU-Z or HWMonitor installers used in STX RAT campaign"
strings:
$s1 = "CPU-Z" ascii wide
$s2 = "HWMonitor" ascii wide
$s3 = "CPUID" ascii wide
$m1 = "CRYPTBASE.dll" ascii wide
$m2 = "vatrobran.hr" ascii wide
condition:
uint16(0) == 0x5A4D and (1 of (\(s*) and 1 of (\)m*))
}
Recommendations
To mitigate the risk posed by this and similar watering hole attacks, SecLookup recommends the following actions:
Verify Software Signatures: Always check the digital signature of downloaded executables. In this campaign, while the legitimate CPUID files were signed, the trojanized installers often lacked valid signatures or were signed by unrelated third parties.
Monitor for DLL Sideloading: Implement endpoint monitoring (EDR) to alert on unusual DLL loads, particularly
CRYPTBASE.dllappearing in non-system directories likeDownloadsorAppData\Local\Temp.Application Whitelisting: Restrict the execution of administrative tools to authorized personnel and ensure they are sourced from internal, verified repositories rather than direct web downloads.
Network Filtering: Ensure your DNS and web proxy solutions are ingesting real-time threat intelligence feeds from SecLookup to block access to newly registered or compromised domains used in malware campaigns.
User Education: Remind employees and IT staff that even trusted sites can be compromised and to report any unusual behavior (e.g., unexpected redirects or certificate errors) during software downloads.
References
- CPUID watering hole attack spreads STX RAT malware by Pierluigi Paganini, Security Affairs
