[RESEARCH] CPU-Z was the lure. The real story is who buys the foothold.
The scariest part of the CPU-Z mess wasn’t STX RAT. It was the customer profile. Trusted utility, power-user endpoint, resale-ready access. Same old crime economy, better packaging.
![[RESEARCH] CPU-Z was the lure. The real story is who buys the foothold.](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w1200/2026/04/z-7.png)
Some weeks in this field feel like a reminder that defenders are expected to trust less, verify more, and somehow still get actual work done. This is one of those weeks. The CPU-Z story matters not because it is glamorous, but because it is familiar: a trusted utility, the right users, and a compromise that probably matters more after the initial infection than during it.
The most important thing here is not the malware name. It is the likely actor model. Based on the current public evidence, this looks most like a single low-to-mid tier e-crime cluster operating as an initial-access broker, reusing STX RAT, overlapping infrastructure, and the same general playbook seen in the earlier fake FileZilla campaign. Public reporting does not credibly tie this to a named APT or a branded ransomware crew, and that restraint matters. Bad attribution is how this industry talks itself into dumb confidence.
TL;DR
- The strongest public read is still a single IAB-style e-crime cluster operating STX RAT.
- A small STX RAT service / narrow-customer model is plausible but less supported.
- Direct operation by a ransomware or data-extortion crew is possible, but weaker today.
- “CityOfSin” looks more like a campaign label derived from C2 parameters than a broadly accepted actor identity.
- The next 60–90 days may reveal whether access is handed to downstream ransomware or extortion ecosystems.
The AlphaHunt Read
Our working read is simple: this was probably not the final monetization layer. It was the access layer. The likely trajectory over the next 3–6 months is more trusted-software abuse, more focus on technically privileged users, and more downstream monetization through stolen access, sessions, and service credentials rather than some immediate smash-and-grab headline. The part defenders should care about most is not whether STX RAT ran. It is whether the infected user sat close enough to identity, admin rights, or sensitive systems to make the foothold worth reselling or reusing later. That is the value of viewing this as access brokering first.
The story in 60 seconds
Around April 9 to 10, CPUID’s side API was reportedly hijacked so official CPU-Z, HWMonitor, and PerfMonitor links pointed to attacker-controlled Cloudflare R2 buckets, while the signed binaries themselves remained legitimate. The trojanized packages carried a malicious CRYPTBASE.dll, which sideloaded a reflective loader and then STX RAT, with persistence and DoH-based C2. Researchers then tied that activity back to the March fake FileZilla campaign through the same payload family, config overlap, and shared infrastructure. That connective tissue matters more than the brand names on the compromised sites. It suggests a crew reusing proven tradecraft against better trust surfaces, not a random one-off supply-chain accident.
Why it matters
The shallow version of this story is “official downloads were tampered with.” True. The better version is that the lure sat in front of exactly the kind of people attackers like to compromise: admins, power users, and technically capable users who tend to have broader reach than average endpoints. That makes this a business-risk story, not just a malware story.
It also matters because the evidence points to reuse, not novelty. The CPUID incident and the earlier fake FileZilla campaign reportedly shared the same STX RAT payload, overlapping config, and the same C2 domain. That tells you this is probably not a one-off creative burst. It looks more like a crew iterating on a working formula: find a better trust surface, keep the tooling mostly the same, and improve victim quality.
Where this goes next
If the IAB model is right, the next chapter is unlikely to look like the first. It will probably look quieter. The real question is what happens to confirmed STX RAT victims over the next 60–90 days, and whether those footholds later map to ransomware, extortion, or other downstream criminal playbooks. That is the trajectory to watch. Not whether defenders can write one more IOC blog, but whether the same infrastructure later shows up in somebody else’s intrusion story.
A second trajectory worth watching is whether this remains one operator cluster or turns out to be a broader STX RAT market. Today the stronger signal is still one operational cluster rather than a broad multi-customer ecosystem. If that changes, defenders should expect more campaigns with the same family and slightly different delivery wrappers. If it does not, then the near-term risk is more likely repeat use of the same core tradecraft against other trusted software and admin-adjacent targets.
![[FORECAST] Two New App-Layer Campaigns by Year-End? Watch the Attribution Line](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-6.png)
![[SIGNALS WEEKLY] Edge Devices, Identity Abuse, and KEV-Driven Exploitation Converge](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-5.png)
![[FORECAST] Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact? UPDATED 2026-04-08!](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-3.png)