← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.725
Analyst
Executive
Executive Summary
Between April 9-10, 2026, attackers breached cpuid.com for approximately 19 hours and replaced legitimate download links for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor with malware-laced installers. Any user or IT professional who downloaded these tools during that window likely received STX RAT, a remote access trojan giving attackers persistent control over the infected system. Organizations in retail, manufacturing, consulting, telecommunications, and agriculture are confirmed affected, with over 150 victims identified by Kaspersky; the primary business risk is unauthorized remote access to internal systems, credential theft, and potential lateral movement.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unknown — attribution not established as of reporting
TTP Sophistication
HIGH
12 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
CPUID CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor (cpuid.com downloads), all versions served during approximately 19-hour compromise window (April 9-10, 2026 UTC)
Are You Exposed?
⚠
Your industry is targeted by Unknown — attribution not established as of reporting → Heightened risk
⚠
You use products/services from CPUID CPU-Z → Assess exposure
⚠
12 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A successful STX RAT infection gives attackers persistent remote access to the compromised machine, enabling credential harvesting, lateral movement into corporate networks, and data exfiltration. CPU-Z, HWMonitor, and similar utilities are commonly downloaded by IT staff, system administrators, and hardware engineers, meaning the affected population likely has elevated network privileges. Organizations with confirmed infections face direct costs from incident response and system rebuilding, and potential regulatory exposure if harvested credentials were used to access systems containing regulated data.
You Are Affected If
You or your staff downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor directly from cpuid.com between approximately April 9–10, 2026 UTC
Downloaded installers were not hash-verified against a known-good source before execution
Affected endpoints run Windows and have no application allowlisting or DLL load-order controls enforced
Endpoints used for the download have access to internal network resources, shared credentials, or privileged systems
Your organization does not centrally manage or audit utility software downloads by IT and engineering staff
Board Talking Points
A trusted hardware diagnostics website used by IT teams worldwide was secretly replaced with malware for roughly 19 hours, and any employee who downloaded software during that window may have given attackers remote control of their computer.
Immediately identify any downloads from cpuid.com on April 9–10, isolate affected machines, and reset credentials for any accounts accessible from those systems — this should be completed within 24–48 hours.
Without action, attackers with active STX RAT footholds can move laterally through internal networks, harvest credentials, and exfiltrate data without further user interaction.
Technical Analysis
Threat actors compromised cpuid.com and substituted trojanized installers for four utilities: CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor.
The malicious installers deploy STX RAT via DLL side-loading (T1574.002 / CWE-426), placing a malicious DLL in a search-order-vulnerable load path used by a legitimate, signed executable.
This technique abuses application trust to execute malicious code without triggering standard process-level detections.
The infection chain also incorporates process injection (T1055 ), PowerShell execution (T1059.001 ), drive-by compromise via the weaponized site (T1189 ), supply chain compromise at the software distribution layer (T1195.002 ), keylogging or input capture (T1056 ), sandbox/VM evasion (T1497 ), and C2 over HTTP/S (T1071.001 ). Infrastructure and infection chain were reused verbatim from a prior FileZilla watering hole campaign, indicating operational reuse. Relevant CWEs: CWE-829 (inclusion of functionality from untrusted control sphere), CWE-494 (download of code without integrity check), CWE-426 (untrusted search path). No CVE is assigned. The site has been remediated; no patch exists for the affected tools because the vulnerability was in the distribution channel, not the software itself. Confidence: HIGH, sourced from Kaspersky Securelist primary research.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO and legal counsel immediately if any confirmed-infected host had access to PII, PHI, PCI-scoped systems, or privileged credentials (domain admin, service accounts), as STX RAT's persistent remote access capability creates a presumptive data exposure requiring breach notification assessment under applicable regulations (GDPR, HIPAA, state breach laws); also escalate if the blast radius cannot be bounded within 4 hours due to missing proxy/DNS log coverage.
1
Containment: Immediately isolate any endpoint that downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor from cpuid.com between April 9-10, 2026 UTC. Block outbound C2 connections at the perimeter by querying your DNS and proxy logs for domains and IPs associated with STX RAT (see Kaspersky Securelist report for IOC list). Revoke credentials stored or entered on suspected compromised hosts.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST AC-17 (Remote Access)
NIST SC-7 (Boundary Protection)
CIS 12.8 (Establish and Maintain Dedicated Computing Resources for All Administrative Work)
CIS 13.4 (Perform Traffic Filtering Between Network Segments)
Compensating Control
For teams without NAC or enterprise EDR: use Windows Firewall to hard-block the host at the OS level via 'netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound' on suspect endpoints while investigation proceeds. For perimeter C2 blocking without a SIEM, extract STX RAT IOC domains and IPs from the Kaspersky Securelist report and push them as deny rules to your perimeter firewall or DNS resolver (e.g., add NXDOMAIN overrides in BIND or Windows DNS for known C2 hostnames). Use 'netstat -ano' on isolated hosts to capture active connections before blocking to preserve evidence of live C2 channels.
Preserve Evidence
Capture before isolating: full memory dump of any process spawned by CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe (use ProcDump: 'procdump -ma <pid>'); browser download history confirming cpuid.com download URL and timestamp within the April 9–10 UTC window; Windows proxy/DNS logs showing outbound resolution of STX RAT C2 domains at time of infection; 'netstat -ano' output preserving active C2 connections tied to the malicious process PID; and Windows Security Event Log Event ID 4688 (Process Creation) filtered on the four affected executables as parent processes.
2
Detection: Search endpoint logs, EDR telemetry, and proxy/DNS logs for downloads from cpuid.com during the compromise window. Look for DLL side-loading indicators: unexpected DLLs loaded by CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe processes. Hunt for PowerShell child processes spawned by these executables (T1059.001). Cross-reference file hashes of installed binaries against known-good hashes published in the Kaspersky Securelist report.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Without EDR: deploy Sysmon with a SwiftOnSecurity or Olaf Hartong config to capture Event ID 7 (Image Loaded) — filter on DLLs loaded by CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe where the DLL path does not match the expected application install directory. Use Sysmon Event ID 1 (Process Create) to detect PowerShell spawned as a child of any of the four affected executables (MITRE T1059.001). For hash verification without EDR, run 'Get-FileHash -Algorithm SHA256 <path>' in PowerShell against the installed binaries and compare against Kaspersky Securelist published known-bad hashes. For proxy log hunting without SIEM, use 'findstr /i cpuid.com' against exported proxy or Squid access logs scoped to April 9–10, 2026 UTC timestamps.
Preserve Evidence
Sysmon Event ID 7 (Image Loaded) entries showing DLLs loaded from unexpected paths by the four affected CPUID executables — specifically any DLL in the application directory that does not match vendor-signed baselines; Sysmon Event ID 1 or Windows Security Event ID 4688 showing PowerShell.exe or cmd.exe with a parent process of CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe; browser download history (Chrome: 'AppData\Local\Google\Chrome\User Data\Default\History', Edge: 'AppData\Local\Microsoft\Edge\User Data\Default\History') confirming download URL and timestamp; SHA-256 hashes of all binaries in the CPUID install directories for comparison against Kaspersky Securelist known-bad hashes; Windows DNS client cache ('ipconfig /displaydns') or Sysmon Event ID 22 (DNS Query) for STX RAT C2 domain resolutions.
3
Eradication: On confirmed-infected hosts: terminate and remove STX RAT and associated DLL. Uninstall all cpuid.com utilities downloaded during the compromise window. Re-download tools only from the current cpuid.com site after verifying file integrity against hashes published post-remediation. Rebuild hosts where full infection scope cannot be confirmed.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST CM-7 (Least Functionality)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 2.3 (Address Unauthorized Software)
Compensating Control
For teams without enterprise endpoint management: use Autoruns (Sysinternals) to enumerate and remove STX RAT persistence entries — specifically check the 'Logon', 'Scheduled Tasks', and 'AppInit DLLs' tabs for entries referencing the malicious DLL or STX RAT executable paths identified in the Kaspersky Securelist report. Run 'taskkill /F /IM <stxrat_process_name>' to terminate the RAT before removal. Verify DLL removal by checking the CPUID application install directory for any DLL not present in the post-remediation clean installer. Scan with ClamAV using an updated signature database as a secondary confirmation before re-allowing the host on the network. If Autoruns reveals persistence that cannot be cleanly removed (e.g., injected into a system process), treat as full-rebuild required.
Preserve Evidence
Before eradication, image the infected disk using FTK Imager or 'dd' to preserve forensic evidence for post-incident review; capture Autoruns output as a CSV ('autorunsc -a * -c > autoruns_output.csv') documenting all persistence mechanisms left by STX RAT; collect the malicious DLL file and STX RAT binary with SHA-256 hashes for IOC sharing; export Windows Security Event Log and Sysmon logs covering the full infection timeline before any remediation actions alter the evidentiary record; document all registry run keys and scheduled tasks associated with STX RAT persistence (registry paths: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run', 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run').
4
Recovery: After reimaging or cleaning affected hosts, reset all credentials that were entered on or accessible from those systems. Monitor for re-infection indicators for at least 30 days post-remediation. Validate that no persistence mechanisms (scheduled tasks, registry run keys, injected processes) remain. Confirm C2 blocking rules are active and generating no new hits.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST IA-5 (Authenticator Management)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 5.2 (Use Unique Passwords)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
Compensating Control
Without SIEM for 30-day re-infection monitoring: configure a Sysmon + Windows Event Forwarding (WEF) pipeline to a central Windows Event Collector server (no-cost, built into Windows Server) and write a Sigma rule detecting the specific DLL side-loading pattern (CPUID executables loading unsigned or unexpected DLLs) for ongoing alerting. For credential reset validation without PAM tooling, use 'net user' and Active Directory Users and Computers to confirm password resets on all accounts identified as accessible from affected hosts. Schedule a weekly PowerShell cron job ('schtasks') to re-run Get-FileHash against all reinstalled CPUID utilities and compare against post-remediation known-good hashes to detect re-compromise.
Preserve Evidence
Post-recovery validation artifacts to retain: Autoruns clean-state CSV captured immediately after rebuild or cleaning confirming no STX RAT persistence entries remain; firewall/DNS blocking logs showing STX RAT C2 IOC rules are active with zero new hit events over the 30-day monitoring window; credential reset confirmation records for all accounts that were logged into or stored on affected hosts (document account names, reset timestamps, and authorizing administrator); Sysmon Event ID 7 baseline log from the clean reinstalled CPUID tools documenting expected legitimate DLL load paths for future anomaly comparison.
5
Post-Incident: This attack exploited the absence of download integrity verification (CWE-494) and software distribution trust assumptions. Implement a software allowlist policy requiring hash verification before execution of downloaded utilities. Evaluate whether IT and engineering teams use hardware diagnostic utilities from unmanaged personal devices, which would fall outside EDR coverage. Consider requiring all utility software to be distributed through an internal, hash-verified repository rather than direct vendor download.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-11 (User-Installed Software)
NIST SA-12 (Supply Chain Protection)
NIST IR-8 (Incident Response Plan)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
For teams without enterprise software distribution infrastructure: establish a SharePoint or internal file share as an interim verified repository — host only CPUID utilities (and other hardware diagnostic tools) whose SHA-256 hashes have been manually verified against vendor-published post-incident hashes, and document the verification date and verifying analyst in a simple spreadsheet. Implement a AppLocker or Windows Defender Application Control (WDAC) policy (both free, built into Windows) to block execution of any unsigned or hash-unrecognized executable from user download directories (Downloads, Temp, Desktop). Create a one-page IT policy requiring hardware diagnostic tools to be pulled from the internal repository only, and include a BYOD/personal device exception acknowledgment form to capture the unmanaged device risk identified in this incident.
Preserve Evidence
Lessons-learned documentation artifacts: a timeline reconstruction of which endpoints downloaded from cpuid.com during the April 9–10 window (sourced from proxy/DNS logs), used to validate blast radius assessment accuracy; a gap analysis record documenting which affected endpoints lacked EDR or Sysmon coverage — specifically identifying any personal/unmanaged devices that were used — to quantify the BYOD visibility gap exposed by this campaign; final IOC list derived from Kaspersky Securelist report (STX RAT hashes, C2 domains, DLL names) formatted for import into your DNS blocklist, firewall, and any future YARA/Sigma detection rules as institutional memory of this specific supply chain compromise.
Recovery Guidance
After reimaging or cleaning, reinstall CPUID utilities exclusively from hashes published by cpuid.com post-incident and verify with Get-FileHash before first execution — do not trust any installer cached locally or on file shares during the April 9–10 window. Monitor all previously infected hosts for 30 days using Sysmon Event ID 7 (Image Loaded) and Event ID 1 (Process Create) for recurrence of the DLL side-loading pattern, as STX RAT may have established secondary persistence mechanisms not removed during initial eradication. Validate that all STX RAT C2 IOC blocking rules at the DNS and perimeter firewall layers are generating zero new resolution or connection hits before closing the incident.
Key Forensic Artifacts
Malicious installer files: SHA-256 hashes of CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor installers downloaded from cpuid.com between April 9–10, 2026 UTC — compare against Kaspersky Securelist known-bad hashes to confirm trojanized versions were received.
DLL side-loading evidence: files in the CPUID application install directories (e.g., '%ProgramFiles%\CPUID\CPU-Z\', '%ProgramFiles%\CPUID\HWMonitor\') that are not signed by CPUID SA or that have SHA-256 hashes matching STX RAT-associated DLLs listed in the Kaspersky Securelist report.
Process ancestry logs: Sysmon Event ID 1 or Windows Security Event ID 4688 entries showing PowerShell.exe, cmd.exe, or unknown executables spawned as child processes of CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe — this parent-child relationship is the behavioral signature of the DLL side-loading execution chain.
Network C2 artifacts: DNS query logs (Sysmon Event ID 22 or DNS server query logs) and proxy access logs showing outbound connections to STX RAT C2 infrastructure domains and IPs sourced from the Kaspersky Securelist IOC list, with timestamps correlating to or following the CPUID utility download event.
Persistence registry keys and scheduled tasks: contents of 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' and 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run', plus output of 'schtasks /query /fo LIST /v' filtered for tasks created on or after April 9, 2026, referencing paths associated with the STX RAT executable or its dropped DLL.
Detection Guidance
Note: Full IOC values (domains, IPs, file hashes) must be retrieved directly from the Kaspersky Securelist report; key indicators are summarized below, but operational detection requires complete data.
Primary detection surface is endpoint and network telemetry.
In EDR: search for DLL loads from non-standard paths by CPU-Z.exe, HWMonitor.exe, HWMonitor_x64.exe, or PerfMonitor.exe.
Alert on PowerShell processes with these executables as parent. In proxy and DNS logs: query for connections to cpuid.com between 2026-04-09T00:00Z and 2026-04-10T19:00Z (approximate window) with HTTP response bodies indicating a binary download. For file-based detection: compare SHA-256 hashes of installed cpuid.com binaries against clean hashes from the Kaspersky Securelist report (https://securelist.com/tr/cpu-z/119365/). Behavioral indicators include: unexpected network beaconing from hardware utility processes, input capture activity (keylogger artifacts in temp directories), and injection into legitimate processes following hardware tool execution. YARA and Sigma rules, if published by Kaspersky for STX RAT, should be loaded into your SIEM and endpoint tooling.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
1 url
1 hash
1 domain
1 ip
Type Value Enrichment Context Conf.
🔗 URL
https://cpuid.com (download endpoints, April 9–10 2026 UTC window)
VT
US
Legitimate site was weaponized during compromise window; downloads from this site during the window should be treated as malicious
HIGH
# HASH
[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]
VT
MB
File hashes for trojanized CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor installers and associated STX RAT DLLs are published in the Securelist primary report; not reproduced here to avoid transcription error
HIGH
⌘ DOMAIN
[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]
VT
US
STX RAT C2 domains are documented in the Securelist IOC table; not reproduced here to avoid transcription error
HIGH
⦾ IP
[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]
VT
SH
AB
STX RAT C2 IP addresses are documented in the Securelist IOC table; not reproduced here to avoid transcription error
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (4)
1 high-confidence IP indicator(s). Detects endpoint connections to confirmed malicious infrastructure.
KQL Query Preview
Read-only — detection query only
// Threat: Trusted Hardware Utility Site Weaponized: STX RAT Delivered via DLL Side-Loading
let malicious_ips = dynamic([""]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName
| sort by Timestamp desc
Firewall, proxy, and network appliance logs (CEF format) for traffic to malicious IPs.
KQL Query Preview
Read-only — detection query only
// Threat: Trusted Hardware Utility Site Weaponized: STX RAT Delivered via DLL Side-Loading
let malicious_ips = dynamic([""]);
CommonSecurityLog
| where TimeGenerated > ago(30d)
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction,
SourceIP, DestinationIP, DestinationPort, RequestURL,
Activity, LogSeverity
| sort by TimeGenerated desc
1 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: Trusted Hardware Utility Site Weaponized: STX RAT Delivered via DLL Side-Loading
let malicious_domains = dynamic([""]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Trusted Hardware Utility Site Weaponized: STX RAT Delivered via DLL Side-Loading
let malicious_urls = dynamic(["https://cpuid.com (download endpoints, April 9–10 2026 UTC window)"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Falcon API IOC Import Payload (2 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]",
"source": "SCC Threat Intel",
"description": "STX RAT C2 domains are documented in the Securelist IOC table; not reproduced here to avoid transcription error",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-11T00:00:00Z"
},
{
"type": "ipv4",
"value": "[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]",
"source": "SCC Threat Intel",
"description": "STX RAT C2 IP addresses are documented in the Securelist IOC table; not reproduced here to avoid transcription error",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-11T00:00:00Z"
}
]
VPC Flow Logs — Malicious IP Traffic
Query Preview
Read-only — detection query only
fields @timestamp, srcAddr, dstAddr, dstPort, action, protocol, bytes
| filter dstAddr = "[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]" or srcAddr = "[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]"
| sort @timestamp desc
| limit 200
GuardDuty — Custom Threat IP List
Query Preview
Read-only — detection query only
[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["[Retrieve from Kaspersky Securelist: https://securelist.com/tr/cpu-z/119365/]"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1090
T1056
T1497
T1574.002
T1059.001
T1608.004
+6
CM-7
SI-3
SI-4
SI-7
AC-6
SC-7
+4
MITRE ATT&CK Mapping
T1090
Proxy
command-and-control
T1056
Input Capture
collection
T1497
Virtualization/Sandbox Evasion
defense-evasion
T1608.004
Drive-by Target
resource-development
T1059
Command and Scripting Interpreter
execution
T1055
Process Injection
defense-evasion
T1189
Drive-by Compromise
initial-access
T1071
Application Layer Protocol
command-and-control
T1195.002
Compromise Software Supply Chain
initial-access
Guidance Disclaimer
