CPU-Z / HWMonitor watering hole infection – a copy-pasted attack

UPD 4/16/26: added recommendations that help detect similar malicious activity for companies using our Kaspersky SIEM system.

UPD 4/14/26: added detection rules and examples by Kaspersky products: KEDR Expert and KATA, as well as dynamic analysis results in Kaspersky Threat Analysis.

Introduction

On April 9, 2026, the website cpuid[.]com, which hosts installers for the popular system administration tools CPU-Z, HWMonitor (HWMonitor Pro), and Perfmonitor 2, was compromised. We observed that starting approximately on April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of those software tools were replaced with URLs to the following malicious websites:

• cahayailmukreatif.web[.]id;
• pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev;
• transitopalermo[.]com;
• vatrobran[.]hr.

We provided the complete list of hashes of files that we observed to have been downloaded from these websites, in the IoCs section.

Attack chain

We observed the attackers deploy malicious distributions of various popular system administration tools published on the cpuid[.]com website. Below is a list of the tools:

• CPU-Z (version 2.19)
• HWMonitor Pro (version 1.57)
• HWMonitor (version 1.63)
• PerfMonitor (version 2.04)

The trojanized software was distributed both as ZIP archives and as standalone installers for the aforementioned products. These files contain a legitimate signed executable for the corresponding product and a malicious DLL which is named “CRYPTBASE.dll” to leverage the DLL Sideloading technique.

The malicious DLL is responsible for a C2 connection and further payload execution. Prior to this, it also performs a set of anti-sandbox checks and, if all the checks have passed, it connects to the C2 server. The interesting part here is that the attackers reused both the C2 address and the connection configuration from the March 2026 campaign where the attackers hosted a fake FileZilla (open-source FTP client) site distributing malicious downloads. The configuration embedded in the DLL is presented below. The “referrer” field in the configuration equals “cpz” which tends to be a shorthand for “CPU-Z”.

This loader also contains a huge array of MAC addresses (represented as strings) that later form the next stage payload by converting hexadecimal symbols in MAC addresses into their byte values. After a set of auxiliary loaders, the execution chain results in a sophisticated RAT.

Copy-pasted malicious implants

The final stage RAT is not new, though. The adversary decided to reuse the so-called “STX RAT” reported by Esentire, thus making one more mistake. We noted that the final stage was fully detected by the YARA rules provided in the eSentire article.As can be observed, attackers put in an effort to compromise the popular software website, but failed to avoid detection with known indicators of compromise.

Victimology

Based on our telemetry, we have identified more than 150 victims, the majority of whom are private individuals. However, several organizations from various sectors, including retail, manufacturing, consulting, telecommunications and agriculture, were also affected with most infections in Brazil, Russia and China.

Recommendations

While the watering hole attack occurred within a short timeframe of less than 24 hours, it is important to check whether your organization may be affected. The best way to do this is by examining DNS logs for the malicious websites from which the trojanized installers were downloaded. It is also paramount to examine filesystems to check for traces of the malicious archives and executable files related to this attack.

Detection by Kaspersky products

Kaspersky Endpoint Detection and Response Expert effectively detects the behavior of the malicious activity in question at each stage. This section presents possible detection scenarios.

During the loading of the cryptbase.dll library, the cryptbase_dll_loaded_from_wrong_location rule is triggered, designed to detect the loading of unsigned libraries located outside the system directory. In this case, the library is located in the same directory as the executable file and is loaded during its execution.

Loading of unsigned module

During the creation of a PowerShell child process and redirection of its output to a pipe for writing the payload, several rules are triggered for AMSI and process started event types, which track pipe usage and execution of suspicious commands:

suspicious_powershell_command_invocation_obtained_via_pipe_amsi
suspicious_powershell_cmdline_general_obfuscation_amsi
suspicious_powershell_command_invocation_obtained_via_pipe
suspicious_powershell_cmdline_general_obfuscation

Child process creation

Attempts to access web browser data are detected by several rules, such as credentials_from_web_browsers, which tracks suspicious access to files storing user secrets.

For comprehensive analysis of the malicious activity in question, Kaspersky Cloud Sandbox, part of Kaspersky Threat Analysis, can be used, providing detailed information about the behavior of malicious files under investigation. In particular, this tool allows identifying indicators of compromise based on behavioral analysis.

The figure below shows the Kaspersky Threat Analysis interface demonstrating dynamic analysis results for one of the STX RAT samples:

Malicious sample detonation in Kaspersky Cloud Sandbox

Based on dynamic analysis results, the analyzed sample was found to perform the following malicious actions:

• Modify AMSI to bypass antivirus protection (AMSI patching)
• Establish a network connection to a C2 server
• Introduce a time delay for deferred payload execution

Network traffic monitoring to identify characteristic anomalies also remains a reliable way to detect such attacks. Malicious activity in traffic can be detected using Kaspersky Anti Targeted Attack (KATA) with NDR module

Below is the KATA NDR interface with an alert about detection of loader C2 communication over HTTP. In this case, the Backdoor.Agent.HTTP.C&C rule was triggered, which detects network communication characteristic of this campaign.

To protect companies using our Kaspersky SIEM system, below are recommendations that help detect similar malicious activity. The rules mentioned below are available for customers to download from the SIEM repository.

• To detect the loading of the malicious library cryptbase.dll, we recommend configuring a rule for the Sysmon event Event ID = 7, where the path to the signed Signed = true library is a non-standard directory ImageLoaded not contains ['C:\Windows\System32', 'C:\Windows\SysWOW64'].
• Further creation of a PowerShell child process with obfuscation of payload launch parameters can be detected by the rule R110_05_Use of suspicious options in PowerShell commands.
• Registry checks for sandbox presence can be detected by the rule R227_01_Collecting of information about virtual machines through the Windows registry.
• Unauthorized access to web browser data is detected using R225_01_Suspicious access to web browser credentials.
• As part of persistence, a scheduled task is created with the parameter <Hidden>true</Hidden> in the <Task Content> field, which can be detected using Windows Event Log: Security Event ID = 4698.
• Attempts to establish persistence through the registry autorun key and the loading further of a payload using standard system utilities are detected by the following rules:
  • R097_01_Change of startup script settings through the Windows registry.
  • R423_02_Compilation via csc.exe from suspicious location.
  • R423_03_Suspicious msbuild utility execution.
• To detect COM Hijacking of the IScriptControl object, we recommend configuring a rule for writing to the Default key of the registry branch \Software\Classes\TypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} with the value script:.(appdata|temp|users).*.sct (it’s sufficient to start monitoring for the .sct substring occurrence) for the registry change events Windows Event Log: Security Event ID = 4657 or Sysmon: Event ID = 13.
• Subsequent execution of the .sct scriptlet through the scrobj.dll library is detected by the rule R291_04_Executing commands using regsvr32.exe.
• For proper functioning of detection rules, ensure that events from Windows systems are fully delivered to KUMA, including events with the identifiers: Sysmon 1, 7, 13, as well as Security 4688, 4657, 4663, 4698, and 4103.

Conclusion

Compared to other recent watering hole and supply chain attacks, such as the Notepad++ supply chain attack, the attack on the cpuid[.]com website was orchestrated quite poorly. The gravest mistake the attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers. The overall malware development/deployment and operational security capabilities of the threat actor behind this attack are quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it started.

Indicators of Compromise

Hashes of downloaded malicious files

d0568eaa55f495fd756fa205997ae8d93588d2a2 cpu-z_2.19-en.zip

02a53d660332c25af623bbb7df57c2aad1b0b91b hwinfo_monitor_setup.exe

9253111b359c610b5f95ef33c2d1c06795ab01e9 HWMonitorPro_1.57_Setup.exe

2f717a77780b8f6b2d853dc4df5ed2b90a3a349a hwmonitor-pro_1.57.zip

7c615ce495ac5be1b64604a7c145347adbcd900c hwmonitor_1.63.zip

c417c3a4b094646d06a06103639a5c9faabc9ba4 hwmonitor_1.63.zip

8351a43a0c0455e4b0793d841fe12625f072f9b4 PerfMonitor2_Setup.exe

6a71656c289201f742787f48398056fcd2aa7274 perfmonitor-2_2.04.zip

Hashes of malicious DLLs

24bbfcfea0c79f640a4eec99ffdae3ccd315786 CRYPTBASE.dll

c65e515b9c9655c651c939b94574cf39b40a8be2 CRYPTBASE.dll.bin

3041a4e2bc5ccefbfd2222a9e23614fb79d6db63 CRYPTBASE.dll

4e3195399a9135247e55781ad13226c6b0e86c0d CRYPTBASE.dll

4597f546a622ae55e0775cbcc416b3f1dfd096ce CRYPTBASE.dll

a06955d253711385eaa6f5af76fa9fa47bdeb1e9 CRYPTBASE.dll

6b49823483889bc1ad152a1be52d1385c4e0affb CRYPTBASE.dll

3041a4e2bc5ccefbfd2222a9e23614fb79d6db63 CRYPTBASE.dll

c65e515b9c9655c651c939b94574cf39b40a8be2 CRYPTBASE.dll

4f3d8c47239bd1585488ce431d931457f101104c CRYPTBASE.dll

ba19e03ca03785e89010672d7e273ac343e4699a CRYPTBASE.dll

e2464454017cd02a8bc6744596c384cf91cdd67e CRYPTBASE.dll CRYPTBASE.dll

URLs
hxxps://welcome.supp0v3[.]com

hxxps://cahayailmukreatif.web[.]id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/perfmonitor/perfmonitor-2_2.04.zip

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/perfmonitor/PerfMonitor2_Setup.exe

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor-pro/hwmonitor-pro_1.57.zip

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor_1.63.zip

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor/hwinfo_monitor_setup.exe

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/cpu-z_2.19-en.zip

hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor-pro/hwmonitorpro_1.57_setup.exe

hxxps://transitopalermo[.]com/config/hwmonitor/hwmonitor_1.63.zip

hxxps://transitopalermo[.]com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe

hxxps://transitopalermo[.]com/config/hwmonitor/HWiNFO_Monitor_Setup.exe

hxxps://vatrobran[.]hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip

hxxps://vatrobran[.]hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip

hxxps://vatrobran[.]hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe

hxxps://vatrobran[.]hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe