In a classic case of digital “wolf in sheep’s clothing,” threat actors are now exploiting the popularity of HWMonitor—a staple utility for PC enthusiasts—to deliver a devastating Remote Access Trojan (RAT).
By leveraging a legitimate binary to bypass security checks, this campaign quietly installs the STX RAT, giving attackers a front-row seat to your personal files, screen activity, and cloud credentials. If you’ve recently downloaded a hardware monitor from a non-official source, your system could be part of a growing botnet.
The Attack: DLL Sideloading Explained
The brilliance of this attack lies in its simplicity. Attackers aren’t “hacking” HWMonitor; they are tricking Windows into doing the work for them using a technique called DLL Sideloading.
The Chain of Infection:
- The Hook: Victims download a ZIP file (hosted on Cloudflare R2) that looks like a standard HWMonitor installer.
- The Bait: The folder contains the real
HWMonitor_x64.exeand a malicious file namedCRYPTBASE.dll. - The Switch: When you run the real HWMonitor, Windows looks for
CRYPTBASE.dllin the local folder first. Instead of loading the official system file, it unknowingly runs the attacker’s malware. - The Stealth: The malware runs two “threads.” One keeps HWMonitor working perfectly so you don’t get suspicious, while the second quietly installs the STX RAT in your system’s memory.
Inside the STX RAT: A Predator in Memory
Once active, the STX RAT is incredibly difficult to detect because it operates entirely in the system memory (RAM), never writing suspicious files to your hard drive.
Key Capabilities:
- Surveillance: Captures real-time screenshots and monitors your keystrokes.
- Evasion: It scans your PC for security software (Avast, Bitdefender, SentinelOne) and attempts to hide its presence from them.
- System Theft: Harvests hostnames, usernames, and OS details to build a profile for further attacks.
- C2 Communication: Sends your stolen data back to a command-and-control server via encrypted HTTPS messages.
Indicators of Compromise (IoCs)
Security teams and power users should scan their environments for the following red flags:
- Malicious DLL:
CRYPTBASE.dlllocated in any directory other thanC:\Windows\System32. - C2 Endpoint:
welcome.supp0v3[.]com - Distribution URL:
pub-fd67c956bf8548b7b2cc23bb3774ff0c[.]r2[.]dev - Suspicious Activity: Outbound HTTPS traffic from hardware utility folders to unfamiliar domains.
How to Stay Safe
To avoid falling victim to “living-off-the-land” attacks like this:
- Only Download from the Source: Get your tools directly from CPUID or official developer sites. Never trust “re-hosted” versions on forums or storage buckets.
- Enable EDR/MDR: Use security tools that feature behavioral analysis and memory scanning, as traditional file-based antivirus will miss this in-memory threat.
- Verify Digital Signatures: Right-click executables and check the “Digital Signatures” tab. If the signer is missing or doesn’t match the developer, delete it immediately.
