This wasn’t some random phishing email. The attackers found a weak spot — a secondary API (basically a side door that connects to the website’s backend) — and used it to silently swap download links on CPUID’s official site.

• What got hit: CPU-Z v2.19, HWMonitor v1.63, HWMonitor Pro v1.57, PerfMonitor v2.04
• How it worked: Download links were redirected to attacker-controlled Cloudflare R2 storage buckets
• Only 64-bit versions were affected — the malicious cryptbase.dll was placed next to the legit .exe
• When you ran the installer, it loaded the fake DLL first (Windows searches the current folder before the system folder — classic DLL search order hijacking)
• The malware ran entirely in memory across 5 stages — XOR decryption, reflective loading, bitwise transformations. No files on disk to catch.

CPUID founder Samuel Demeulemeester confirmed the breach was found and patched. Current downloads are safe. (Cybernews report)

Once it was in, STX RAT went shopping through your entire digital life:

• Browser credentials — saved passwords from Chrome, Firefox, Edge
• Session cookies — instant login to your accounts without passwords
• Crypto wallet keys — MetaMask, Exodus, anything in your browser extensions
• Password manager data — if your vault was unlocked, it was fair game
• VPN and FTP credentials — your “secure” connections, handed over
• It specifically used Chrome’s IElevation COM interface to decrypt stored credentials (that’s the same API Chrome uses internally to protect your passwords — the RAT just… asked nicely)

The same command-and-control server was previously linked to a fake FileZilla campaign in March 2026. Same attackers, different bait.

• CPUID’s founder: “A secondary feature (basically a side API) was compromised for approximately six hours… our signed original files were not compromised.”
• vx-underground (malware research group): Pointed out the C2 server matches the March fake FileZilla site — meaning this crew has been running supply-chain poisoning campaigns for months
• Security researchers at Cyderes: Published a full breakdown of the 5-stage in-memory execution chain
• The PC building community: Collectively had a “wait, I literally just downloaded that last week” moment
• The Russian install prompt was apparently a giveaway — but honestly, how many of us actually read installer windows? Exactly.

Okay but seriously — this is the exact nightmare scenario for supply-chain security. CPU-Z and HWMonitor aren’t some sketchy utilities from a random forum. These are the tools that hardware reviewers, overclockers, system admins, and basically every PC builder on the planet has used at some point.

The attack wasn’t sophisticated in concept (swap links → serve malware). What was sophisticated was the malware itself — five stages, entirely in memory, anti-analysis tricks, going after the Chrome credential API directly. This is professional-grade stuff.

And 150 users sounds small, but several of those were organizations — meaning the RAT potentially had access to corporate networks, not just some kid’s gaming rig. One infected telecom employee’s machine could be the entry point for something much bigger.

The lesson? Even official sites from trusted developers can become watering holes. Your “safe” download habit of “always get it from the official site” isn’t enough anymore.

Every legit software publisher posts file hashes (like SHA-256 checksums) — a unique fingerprint for the real file. But almost nobody checks them. Build a dead-simple browser extension or desktop widget that auto-verifies downloaded files against known-good hashes from the publisher’s site. Make it one click. Target the PC builder / sysadmin crowd who downloads tools like CPU-Z, Rufus, 7-Zip constantly.

Monetize through a freemium model — free for personal use, paid tier for teams that need audit logs. Nobody’s done this in a way that’s actually frictionless.

Example: A 24-year-old dev in Poland builds “HashGuard,” a free tray app that auto-checks every .exe download against a curated hash database. Posts it on r/sysadmin and GitHub. 8,000 stars in a week. Enterprise tier at $5/seat/month. 200 small MSPs sign up in month two — $12K MRR.

Timeline: First version shipped in 3 days (it’s honestly a simple app). First paying users within 2 weeks of Reddit launch. Plateau at ~$30K MRR unless you land a big compliance customer. Window closes when browsers add this natively — maybe 18 months.

Set up automated monitoring that downloads popular free tools (CPU-Z, HWMonitor, Rufus, PuTTY, WinSCP, FileZilla — the whole Greatest Hits of Windows utilities) every 30 minutes, hashes them, and compares against known-good versions. When a hash changes unexpectedly? Instant alert to a subscriber list.

This is a VirusTotal meets early-warning system for supply-chain attacks. Charge security teams for the API. The data is gold — you’d have caught this CPUID breach within 30 minutes instead of 6 hours.

Example: A 28-year-old security analyst in Romania sets up 40 cron jobs on a $5/month VPS that download and hash popular tools every 30 min. Wraps it in a Telegram bot and Discord webhook. Posts the free version on Hacker News. Gets picked up by 3 threat intel firms who want API access at $200/month each. Bootstrapped to $2K/month with zero ad spend.

Timeline: Working prototype in 2 days (it’s literally wget + sha256sum + diff in a loop). First subscribers within a week of a well-timed HN post. Real money comes when you catch an actual breach live — your credibility skyrockets. Shelf life: indefinite, supply-chain attacks aren’t going away.

DLL sideloading (tricking programs into loading a fake helper file) is the #1 technique used in these attacks. Build a free scanning tool that checks a user’s installed software for DLL sideload vulnerabilities — does this .exe load DLLs from its own folder before the system folder? Is the folder writable by non-admins?

Package it as a penetration testing tool for red teams AND as a defensive scanner for blue teams. Post on GitHub. The hustle: consulting gigs and custom enterprise scanning for companies who realize their entire software stack is vulnerable to this.

Example: A 31-year-old pentester in Turkey builds “SideloadScan” — a Python script that scans Program Files for sideload-vulnerable executables. Open-sources it, writes a blog post with results from scanning 500 popular Windows apps. Gets invited to speak at BSides. Lands 3 consulting contracts at $5K each within a month from companies who saw their own apps in the vulnerable list.

Timeline: Script takes a weekend. Blog post + GitHub launch in week 2. First consulting inquiry within days of the blog going viral on InfoSec Twitter. Scales into a product if you add continuous monitoring. This play has multi-year legs.

Right now, between when a supply-chain attack is discovered and when it makes mainstream news, there’s a 24-72 hour gap where most users don’t know. During this window, security-aware resellers on eBay/Amazon who sell pre-configured PCs and USB toolkits can pivot HARD — market “verified clean” utility USB sticks with hash-checked versions of popular tools.

The PC building community is paranoid right now. Sell them peace of mind: a $15 USB stick with CPU-Z, HWMonitor, CrystalDiskMark, Rufus, and 20 other essentials, all verified, all signed. Update it monthly. Subscription model for the USB image file.

Example: A 19-year-old in Indonesia who already sells custom PC build kits on Tokopedia adds a “Verified Tool Pack” USB for $12. Posts a TikTok showing the CPUID hack and saying “this is why I check every hash.” Sells 400 units in the first week. Pivots to a $3/month digital download of the verified pack.

Timeline: First USB listed within a day. Sales spike immediately after the news cycle. Revenue drops to a trickle after 3 weeks unless you keep updating with new tools and new scares. Best as a side income stacked on top of existing hardware sales.

STX RAT’s main prize was session cookies — those little tokens that keep you logged in. Most people don’t know you can delete all your cookies and re-authenticate, or use browser profiles to isolate sensitive logins. Build a step-by-step “post-breach cleanup” guide specifically for the CPUID victims (and anyone else who’s been popped). Offer it free. Upsell a “digital hygiene audit” service where you remote into their machine, verify they’re clean, rotate all credentials, and set up proper isolation.

The timing is perfect — 150+ people just got compromised and most don’t know what to do next.

Example: A 26-year-old IT support freelancer in the Philippines writes a free Notion guide called “You Got RAT’d: Now What” — 12 steps from running Malwarebytes to rotating every password to setting up browser profiles. Posts it everywhere the CPUID news is being discussed. Offers a $50 “done for you” remote cleanup session. Gets 30 bookings in the first 5 days just from Reddit threads.

Timeline: Guide written in one evening. First booking within 24 hours of posting in the right threads. This is a short burst play — maybe 2-3 weeks of high demand, then it becomes a template you reuse every time a new supply-chain breach drops (and they drop every few months now).