The Download That Looked Safe
- Javier Conejo del Cerro
- 14 abr
- 2 min de lectura
The compromise of CPUID’s distribution infrastructure reveals a recurring and dangerous pattern in modern cyberattacks: the weaponization of trust in legitimate software sources. For less than 24 hours, attackers hijacked download links for widely used tools like CPU-Z and HWMonitor, turning them into delivery mechanisms for STX RAT. What makes this attack particularly effective is not its sophistication, but its precision—targeting users at the exact moment they believe they are making a safe download.
Phase 1: Initial Compromise — Controlling the Source
The attack began with the compromise of a secondary API within the CPUID infrastructure. While the core system and signed binaries remained intact, this auxiliary component allowed attackers to inject malicious links into the download process.
This subtle manipulation ensured that users were redirected to attacker-controlled domains without raising immediate suspicion.
Phase 2: Delivery — The Trojanized Installer
Victims downloading CPU-Z or HWMonitor received trojanized packages hosted on malicious websites.
These packages contained:
Legitimate signed executables
A malicious DLL (“CRYPTBASE.dll”)
By combining authentic binaries with a rogue DLL, attackers leveraged DLL side-loading to execute malicious code while maintaining the appearance of legitimacy.
Phase 3: Execution — Silent Infection
Once executed, the malicious DLL initiated communication with external servers and performed anti-sandbox checks to avoid detection.
It then downloaded additional payloads, ultimately deploying STX RAT—a remote access trojan with extensive capabilities, including:
Remote desktop control (HVNC)
Credential harvesting
In-memory execution of payloads
Reverse tunneling and proxying
This allowed attackers to fully control compromised systems without triggering traditional detection mechanisms.
Phase 4: Persistence & Exploitation
With STX RAT active, attackers gained persistent access to infected machines.
They could:
Execute commands remotely
Move laterally within networks
Exfiltrate sensitive data
Deploy additional malware
The reuse of infrastructure and techniques from previous campaigns (e.g., trojanized FileZilla installers) suggests a Russian-speaking actor with moderate operational security, likely motivated by financial gain or acting as an initial access broker.
Measures to Fend Off
Download software only from verified and official sources
Validate file hashes and digital signatures before execution
Monitor for DLL side-loading behavior
Detect unusual outbound connections to unknown domains
Use behavioral EDR to identify stealthy execution patterns
Audit systems for unauthorized persistence mechanisms
This campaign underscores a critical reality: attackers no longer need to break trust—they can hijack it.
By targeting legitimate distribution channels, they position themselves at the intersection of user confidence and execution. The result is an attack that requires no exploit, no phishing, and no advanced evasion—only timing and access to the delivery chain.
The most dangerous file is not the one that looks suspicious.
It is the one you were expecting to download.
The Hacker News
Comentarios