On April 9, 2026, around 3:00 PM UTC, attackers breached a secondary API on CPUID’s servers. They swapped the download links for four products:

• CPU-Z v2.19
• HWMonitor v1.63
• HWMonitor Pro v1.57
• PerfMonitor v2.04

Instead of pointing to CPUID’s real files, the links redirected to a Cloudflare R2 storage bucket controlled by the attackers. The trojanized installers looked identical to the real ones. They even installed the real software — but silently dropped a malicious file alongside it.

CPUID fixed it roughly 6 hours later, by April 10 at ~10:00 AM UTC. But anyone who downloaded during that window? Already infected.

This isn’t some lazy keylogger. STX RAT is a multi-stage, memory-only payload that runs through five layers of encryption before it even starts working. Here’s what it does once it’s in:

• Steals every saved password from Chrome, Firefox, Edge, and SeaMonkey
• Grabs session cookies — meaning it can log into your accounts WITHOUT needing your password or 2FA code
• Opens a hidden desktop (HVNC) — the attacker literally uses your computer in an invisible window while you work normally
• Raids crypto wallets — Electrum, Litecoin-Qt, and others sitting on your desktop
• Steals VPN and FTP credentials from FileZilla and WinSCP → opens the door to your company’s servers
• Phones home to welcome[.]supp0v3[.]com with your full system profile tagged by which software you downloaded

And here’s the kicker: it checks if it’s running in a virtual machine or sandbox first. If it detects analysis tools, it shuts itself down. It was built to avoid being caught.

Between you and me, this is the nastiest kind of attack because of WHO it targets.

Think about it: who downloads CPU-Z? Not your grandma. It’s the IT admin at a company with 500 employees. The sysadmin running a data center. The security researcher checking a suspicious machine. These people have admin-level access to networks, servers, and infrastructure.

One infected sysadmin → access to an entire company network. One stolen session cookie from a cloud admin → full access to AWS, Azure, or GCP dashboards. No password needed.

The attackers didn’t just tag victims randomly. They used campaign IDs like “CPZ” for CPU-Z downloads and “monitor3” for HWMonitor — meaning they could sort victims by job function later.

Cyderes (security firm that found it): “The targeting of system monitoring tools represents a deliberate strategy… these tools are predominantly used by IT professionals and system administrators — high-value targets with elevated privileges.”

Tom’s Hardware: Called it a “supply chain nightmare” where the official site itself became the weapon.

Multiple security researchers: Pointed out the same C2 domain was used in an earlier campaign against financial firms in February → same group, getting bolder.

CPUID: Confirmed the breach, said a “secondary API” was compromised. Haven’t said much else.

Here’s what you do: most IT departments download tools like CPU-Z, Sysinternals, Wireshark from official sites and just… trust them. Nobody checks file hashes. Build a simple Telegram or Slack bot that IT teams add to their channel. Before anyone installs a downloaded .exe, they drop it in the chat → the bot checks the SHA256 hash against VirusTotal’s free API and known-good hashes. Charge IT departments $15-30/month. Takes a weekend to build with Python.

Example: A freelancer in Lisbon built a similar Slack bot for three managed service providers in Portugal. Each pays €25/month. He added auto-alerts when popular tools get compromised (like this CPU-Z incident) → clients renewed instantly because it saved them from exactly this scenario.

Timeline: Bot MVP in 1-2 days. First 5 paying teams within 3 weeks if you pitch it in IT admin Discord servers and r/sysadmin.

Most small businesses (5-50 employees) don’t have a sysadmin. When they set up a new PC, someone Googles “CPU-Z download” and clicks whatever looks right. Here’s the angle: offer a “verified software bundle” — a USB drive or private download link with pre-verified, hash-checked versions of the 30 most common IT tools (CPU-Z, HWMonitor, 7-Zip, Notepad++, PuTTY, etc). Charge $50-100 per bundle, update monthly. Market it to computer repair shops and small MSPs who set up PCs for clients.

Example: A guy running a small computer repair shop in Medellín, Colombia started selling “clean install kits” on MercadoLibre after the CPUID breach made local tech news. He bundles verified tools + a one-page security checklist in Spanish. Selling 15-20 kits/month at ~$40 each to other repair shops.

Timeline: First kit assembled in a day. Local repair shops will buy within a week if you show up with the CPU-Z news as your pitch.

Between you and me, IT people are drowning in security news and missing the stuff that actually matters to them. Start a hyper-focused newsletter: “Was Your Download Safe This Week?” — one email, every Friday, listing ONLY supply chain compromises that affect popular tools. Not general security news. Just “Hey, CPU-Z was compromised Tuesday, here’s the bad hash, here’s the clean one.” Use BleepingComputer, The Hacker News, and Cyderes’ blog as sources. Monetize with job board ads from security companies. Free tier + $5/month “instant alert” tier.

Example: A security analyst in Jakarta started a similar Substack after the npm supply chain attack in early April. He writes in both English and Bahasa Indonesia. 2,400 subscribers in three weeks. Now gets sponsorship inquiries from security tool companies wanting to reach his audience.

Timeline: First issue in one evening. 500+ subscribers within 2 weeks by posting in r/sysadmin, r/netsec, and IT admin Facebook groups.

Everyone checks downloads AFTER they get infected. Flip that. Build a browser extension that intercepts .exe and .msi downloads, pauses them, and checks the file hash against a database of known-good versions using Hybrid Analysis or MetaDefender’s free API. If the hash doesn’t match the expected one → big red warning. Chrome Web Store + Firefox Add-ons. Free with a “pro” tier ($3/month) that adds real-time alerts when popular software sites get compromised.

Example: A CS student in Kraków built a Chrome extension that does basic hash checking for popular dev tools. Got featured in a Polish tech blog after this CPU-Z news. 8,000 installs in the first week. Now adding a paid tier that covers enterprise deployment.

Timeline: Working extension in 3-5 days. Submit to Chrome Web Store, post in security subreddits. Ride every future supply chain story as free marketing.

Managed service providers (MSPs) handle IT for dozens of small companies. They all have a standard “toolkit” they install on every client machine. After this CPU-Z incident, every MSP is nervous about their download sources. Here’s the play: offer a one-time “supply chain audit” — you check every tool in their standard kit, verify download sources, document hash values, and set up a monitoring system using free tools like Munin hash checker. Charge $200-500 per audit. It’s a one-day job that looks incredibly professional when you hand them a branded PDF report.

Example: A freelance IT consultant in Cape Town emailed 12 local MSPs the day after this breach with the subject line “Is your toolkit safe?” — attached the Cyderes report as proof. Got 4 replies, closed 3 audits at R4,000 (~$220) each within a week. Two of them turned into monthly retainer clients.

Timeline: First audit delivered within 2 days. Cold-email local MSPs with this news article attached. They’re already scared — you’re the solution.