STX RAT trojanized CPU-Z and HWMonitor distribution
Malware Activity
Summary
Hide ▲
Show ▼
A trojanized CPU-Z and HWMonitor distribution pushed STX RAT through DLL side-loading, exposing downloaders to remote access and infostealing risk. The payload chain used a malicious CRYPTBASE.dll after anti-sandbox checks and external-server contact. The activity was tied to more than 150 victims, mostly individuals, with infections reported in Brazil, Russia, and China.
Related Happenings
Daemon Tools Lite trojanized installer campaign
Campaign
First: 07.05.2026 12:30
Last: 07.05.2026 12:30
Sources 1
About this happening:
A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
Daemon Tools Lite trojanized installer campaign
CampaignAbout this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
DAEMON Tools Lite trojanized installer wave
Exploitation Wave
First: 06.05.2026 19:43
Last: 06.05.2026 19:43
Sources 1
About this happening:
Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools Lite trojanized installer wave
Exploitation WaveAbout this happening: Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
First: 05.05.2026 22:21
Last: 05.05.2026 22:21
Sources 1
About this happening:
A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware ActivityAbout this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware Activity
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware ActivityAbout this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
Latest development: 07.05.2026 12:30
Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.
AVB Disc Soft hit by network compromise
Incident
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
**DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
AVB Disc Soft hit by network compromise
IncidentAbout this happening: **DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
Latest development: 07.05.2026 12:30
Disc Soft released the malware-free Version 12.6 of Daemon Tools Lite on May 5 after being notified of the supply chain attack, removed the affected 12.5.1 package from support, and said the incident was contained after isolating affected systems, removing compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring.
Timeline
-
12.04.2026 08:54 1 articles · 1mo ago
cpuid[.]com download links start redirecting to malicious sites
Exploitation ObservedUnknown threat actors compromised cpuid[.]com and replaced CPU-Z and HWMonitor installer download URLs with links to malicious websites, beginning a short watering-hole window that redirected users away from legitimate hardware-monitoring downloads.
Show sources
- CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads — thehackernews.com — 12.04.2026 08:54
-
12.04.2026 08:54 2 articles · 1mo ago
Trojanized CPU-Z and HWMonitor installers deliver STX RAT
Technical Analysis UpdateTrojanized CPU-Z and HWMonitor packages were delivered as ZIP archives and standalone installers containing a legitimate signed executable plus a malicious CRYPTBASE.dll that used DLL side-loading, contacted an external server, performed anti-sandbox checks, and deployed STX RAT.
Show sources
- CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads — thehackernews.com — 12.04.2026 08:54
- CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads — thehackernews.com — 12.04.2026 08:54
-
12.04.2026 08:54 1 articles · 1mo ago
CPUID confirms the breach and Kaspersky reports victim scope
Initial DisclosureCPUID publicly confirmed the breach as a compromise of a secondary feature or side API that caused the main site to display malicious links, and Kaspersky reported more than 150 victims, mostly individuals, with infections in Brazil, Russia, and China and additional impact on retail, manufacturing, consulting, telecommunications, and agriculture organizations.
Show sources
- CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads — thehackernews.com — 12.04.2026 08:54