CPUID Supply Chain Breach: Trojanized CPU-Z Installers Deploy STX RAT via DLL Sideloading – 150+ Victims in 19 Hours + Video

By /

Listen to this Post

Featured Image

Introduction:

A high‑impact software supply chain attack recently compromised CPUID’s official distribution channels for approximately 19 hours, replacing legitimate CPU‑Z and HWMonitor installers with trojanized versions. Attackers employed DLL sideloading to pair the authentic applications with a malicious payload, ultimately deploying the STX Remote Access Trojan (RAT). With over 150 confirmed victims before detection, this incident underscores how trusted utilities can become vectors for persistent, stealthy remote access.

Learning Objectives:

  • Understand the mechanics of DLL sideloading and how it enables software supply chain compromise.
  • Detect trojanized installers and active STX RAT infections using Windows built‑in tools and Sysinternals utilities.
  • Implement application control, digital signature verification, and behavioral monitoring to mitigate similar attacks.

You Should Know:

  1. Anatomy of the Attack: How CPUID’s Legitimate Apps Were Weaponized
    The attackers replaced the original CPU‑Z/HWMonitor installers on CPUID’s site with trojanized versions. When a victim ran the installer, the legitimate executable (e.g., CPUZ.exe) was extracted alongside a malicious DLL (e.g., version.dll or winhttp.dll) and the STX RAT payload. Because Windows searches for DLLs in the application’s directory before system paths, the legitimate app unknowingly loaded the attacker’s DLL—a technique known as DLL sideloading. The malicious DLL then decrypted and injected the STX RAT into memory, establishing persistence and C2 communication. No code changes were required in the original application; only the installer package was altered.

  2. Detecting Sideloaded Malware: Windows Commands and PowerShell Scripts
    To identify potential DLL sideloading on your systems, run these commands as Administrator:

  • Verify digital signatures of all executables and DLLs in suspicious directories: 
    Get-ChildItem -Path "C:\Program Files\CPUID" -Recurse | Get-AuthenticodeSignature | Where-Object {$_.Status -ne "Valid"}
  • Use Sigcheck from Sysinternals to recursively check signatures and show hash mismatches: 
    sigcheck64.exe -e -c -h C:\Program Files\CPUID > signed_check.csv
  • Monitor for unexpected DLL loads using PowerShell and Event Logs (Event ID 7 for image load): 
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=7} | Where-Object {$_.Message -like "version.dll"} | Format-List
  • List all running processes and their loaded DLLs to spot unsigned or anomalous libraries: 
    tasklist /m /fi "IMAGENAME eq cpu-z.exe"

    For proactive hunting, deploy Sysmon with configuration logging DLL loads and process creation.

  1. Hardening Against DLL Sideloading: AppLocker and WDAC Configurations
    Prevent sideloading by restricting where applications can load DLLs from.

Step‑by‑step guide for AppLocker (Windows 10/11 Pro/Enterprise):

  1. Open `secpol.msc` → Application Control Policies → AppLocker.
  2. Right‑click “Executable Rules” → Create New Rule → Permit for “Everyone” → Path `%PROGRAMFILES%\CPUID\` (or the exact vendor directory).
  3. Create a DLL rule similarly: “DLL Rules” → New Rule → Permit → Path %PROGRAMFILES%\CPUID\.
  4. Set “Enforce rules” to “On” for DLL and Executable collections.
  5. In “Advanced” → enable “Enforce DLL rule collection” (critical for sideloading prevention).

For Windows Defender Application Control (WDAC) – more robust:
– Generate a base policy in audit mode:

New-CIPolicy -FilePath C:\WDAC\BasePolicy.xml -Level Publisher -UserPEs

– Convert to enforced policy and deploy via Group Policy or Merge-CIPolicy.
– Use `Citool.exe -refresh` to apply. WDAC blocks any unsigned or untrusted DLLs from loading, even if the main executable is trusted.

  1. Analyzing STX RAT: Indicators of Compromise and Network Forensics
    STX RAT, written in .NET, uses techniques like process hollowing and anti‑sandbox checks. Common IoCs include:
  • File names: winhelper64.dll, sysupdate.exe, `version.dll` (side‑loaded alongside CPU‑Z).
  • Registry persistence: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` key named `SysHelper` or UpdateSVC.
  • Network signatures: C2 communication over TCP ports 443, 8080, or 8443 using custom XOR encryption.

Detection commands:

  • Check outbound connections to suspicious IPs: 
    netstat -ano | findstr :443 | findstr ESTABLISHED
  • Use TCPView (Sysinternals) to visually inspect processes with unexpected remote addresses.
  • Extract network connections from a memory dump using Volatility: 
    volatility -f memory.dmp --profile=Win10x64 netscan
  • For live hunting, run a PowerShell one‑liner to list all active connections with process names: 
    Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
  1. Post‑Compromise Response: Eradicating STX RAT and Recovery Steps
    If a trojanized installer has been executed, follow this incident response plan:

1. Isolate the machine from the network immediately.

2. Kill malicious processes:

taskkill /IM cpu-z.exe /F
taskkill /IM stx_loader.exe /F (if visible)

3. Remove persistence using Sysinternals Autoruns:

  • Run `autoruns.exe` as admin → check “Logon” and “Scheduled Tasks” tabs.
  • Uncheck/delete entries pointing to unknown paths (e.g., %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sysupdate.lnk).
  1. Delete the malicious DLL from the application folder (e.g., C:\Program Files\CPUID\version.dll). Reinstall the official CPU‑Z from a clean source.
  2. Run a full offline scan with Windows Defender Offline or a trusted third‑party AV.
  3. Reset all credentials used on the compromised host, as RATs often steal browser cookies and saved passwords.
  4. Review firewall logs for outbound connections to known malicious IPs (block them at perimeter).

  5. Supply Chain Defense: Verifying Software Signatures and Integrity Checks

Prevent future compromises by always verifying software authenticity.

Windows:

  • Before running any installer, check its digital signature: 
    Get-AuthenticodeSignature -FilePath .\cpu-z_installer.exe
  • Compare the SHA‑256 hash against the vendor’s official hash (if published): 
    certutil -hashfile cpu-z_installer.exe SHA256
  • Use `winget` to install trusted packages from Microsoft’s curated repository: 
    winget install CPUID.CPU-Z

Linux (for cross‑platform awareness):

While this specific attack targeted Windows, Linux users can learn by verifying GPG signatures of downloaded packages:

gpg --verify package.deb.asc package.deb
sha256sum package.deb

Always prefer official repositories over direct `.deb` or `.rpm` downloads.

  1. Linux and macOS Parallels: Lessons for Multi‑Platform Environments
    DLL sideloading on Windows is analogous to library hijacking on Unix systems. On Linux, an attacker could place a malicious `libc.so.6` or custom `.so` in the same directory as a setuid binary, exploiting `LD_LIBRARY_PATH` or RUNPATH. Defensive commands:
  • Check for insecure RPATH/RUNPATH in ELF binaries: 
    readelf -d /usr/bin/cpuz_linux | grep -E 'RPATH|RUNPATH'
  • Monitor library loads using `strace` or auditd: 
    strace -e openat /path/to/binary 2>&1 | grep "No such file"
  • On macOS, use `otool -L` to inspect dynamic dependencies and `codesign -dv` to verify signatures. Disable `DYLD_INSERT_LIBRARIES` in production environments.

What Undercode Say:

  • Trust but verify is dead – Even a long‑trusted vendor like CPUID can have its distribution pipeline compromised. Digital signature validation and hash checks before every installation are no longer optional.
  • DLL sideloading remains an underrated entry vector – Many EDRs focus on malicious executables but miss legitimate apps loading rogue libraries. Application whitelisting (AppLocker/WDAC) is the most effective mitigation.
  • RATs evolve quickly – STX RAT’s use of memory‑only execution and encrypted C2 traffic highlights the need for behavioral monitoring, not just signature‑based detection.
  • Incident response must include credential reset – RATs often linger to harvest session tokens; cleaning the host is insufficient without rotating all exposed secrets.

Prediction:

Supply chain attacks against system utilities and hardware monitoring tools will intensify over the next 12 months. Attackers increasingly realize that compromising a single, widely trusted software vendor can yield thousands of initial access points. We predict a rise in “silent updates” abused to push trojanized DLLs, along with more sophisticated sideloading that uses stolen code‑signing certificates. In response, Microsoft will likely tighten default application control in Windows 12 and mandate hardware‑enforced stack protection for dynamic library loading. Meanwhile, security teams must shift from reactive scanning to proactive integrity monitoring and zero‑trust software deployment models.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar Alert – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: