Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Home/Threats/Critical Vulnerability in HWMonitor Allows DLL Hijacking Attacks
Threats

Critical Vulnerability in HWMonitor Allows DLL Hijacking Attacks

Key Takeaways A new campaign leverages the legitimate HWMonitor utility to deliver the sophisticated STX RAT through DLL sideloading. Attackers distribute a trojanized HWMonitor ZIP archive that...

Marcus Rodriguez
Marcus Rodriguez
May 14, 2026 4 Min Read
39 0

Key Takeaways

  • A new campaign leverages the legitimate HWMonitor utility to deliver the sophisticated STX RAT through DLL sideloading.
  • Attackers distribute a trojanized HWMonitor ZIP archive that includes a malicious CRYPTBASE.dll.
  • The attack chain utilizes multi-stage reflective loading, delivering the STX RAT payload entirely in memory to evade detection.
  • The STX RAT enables extensive surveillance, system information gathering, security product evasion, and persistent remote control.

Attackers Weaponize HWMonitor to Deploy Stealthy STX RAT

Cybersecurity researchers have identified a new campaign where threat actors are exploiting the trusted hardware monitoring software, HWMonitor, developed by CPUID. This sophisticated attack vector utilizes DLL sideloading to infect systems with the STX remote access trojan (RAT), turning a legitimate diagnostic tool into a covert surveillance instrument.

Table Of Content

  • Key Takeaways
  • Attackers Weaponize HWMonitor to Deploy Stealthy STX RAT
  • Multi-Stage Delivery Evades Detection
  • Hackers Abuse Legitimate HWMonitor Binary with DLL Sideloading
  • STX RAT Multi-Stage Payload Delivery
  • What You Should Do

The campaign’s initial phase involves distributing a compromised ZIP archive, masquerading as a standard HWMonitor installation package. Victims who download and extract this archive unknowingly unleash both the genuine HWMonitor_x64.exe executable and a malicious DLL named CRYPTBASE.dll into the same directory. This method capitalizes on user trust in widely-used software, establishing a difficult-to-detect initial foothold.

Multi-Stage Delivery Evades Detection

Analysts at Gurucul, who provided a detailed analysis of this threat, revealed that the malicious archive was distributed via a URL hosted on a Cloudflare R2 storage bucket. Their investigation uncovered a complex, multi-stage execution process designed to bypass security defenses and deliver the STX RAT payload directly into memory, leaving minimal forensic traces on compromised systems. This in-memory delivery significantly hinders traditional file-based detection mechanisms.

The impact of this campaign is substantial. Once the STX RAT is operational, attackers gain the ability to capture screen activity, extract comprehensive system information, identify installed security software, and maintain persistent remote control over the victim’s machine. The presence of unique campaign tracking identifiers within the malware suggests that the operators are orchestrating large-scale infection efforts targeting multiple entities simultaneously.

Hackers Abuse Legitimate HWMonitor Binary with DLL Sideloading

The fundamental mechanism behind this attack is DLL sideloading, a well-established technique. When the legitimate HWMonitor_x64.exe is executed, the Windows operating system prioritizes searching for required DLLs, such as CRYPTBASE.dll, within the application’s local directory before consulting the system path. Attackers exploit this predictable search order by placing their malicious CRYPTBASE.dll in the same folder as the legitimate executable. This ensures that the trusted HWMonitor binary loads the attacker-controlled code instead of the authentic Windows system library.

Upon loading, the malicious DLL initiates two separate threads within DllMain. The first thread is responsible for commencing the malicious execution chain, while the second thread discreetly loads the legitimate system DLL. This dual-thread design is a deliberate tactic to ensure HWMonitor continues to function normally, thereby avoiding suspicion from the user while the attack unfolds silently in the background.

STX RAT Multi-Stage Payload Delivery

Following the successful DLL sideloading, the malware proceeds through a multi-stage reflective loading sequence. This process is designed to deliver the final STX RAT payload entirely in memory, bypassing the need to write any files to disk. The malicious DLL extracts obfuscated data from its .rdata section, allocates executable memory using the VirtualAlloc API, and navigates through several decryption stages before the ultimate payload is activated. This in-memory execution strategy makes it considerably more challenging for traditional file-based security solutions to detect the threat.

The STX RAT is engineered with a comprehensive set of capabilities for long-term espionage and data exfiltration. It employs API hashing to dynamically resolve Windows functions at runtime, which obscures its import table and complicates static analysis. Furthermore, the RAT includes anti-analysis measures, such as checking the Process Environment Block for debugger flags, and actively enumerates installed security products, including popular antivirus and EDR solutions like Avast, Bitdefender, SentinelOne, and CarbonBlack. It silently captures screenshots, gathers critical system information (hostname, username, OS details), and communicates with its command-and-control server using JSON-based messages over HTTPS.

What You Should Do

  • Monitor DLL Loading: Implement robust monitoring for unusual DLL loading activities, especially when system DLLs are loaded from non-standard application directories instead of the Windows system path.
  • Block Unsigned DLLs: Configure systems to block the loading of unsigned or unexpected DLLs to prevent unauthorized code execution.
  • Enhance Memory-Based Threat Detection: Deploy and maintain advanced endpoint detection and response (EDR) solutions capable of identifying reflective in-memory execution and other fileless attack techniques.
  • Monitor Network Traffic: Scrutinize outbound HTTPS connections for unusual endpoints or suspicious communication patterns that might indicate command-and-control activity.
  • Educate Users: Conduct regular user awareness training on safe download practices and the dangers of opening files from untrusted sources, even if they appear to be legitimate software.
  • Validate Software Sources: Always download software from official vendor websites or trusted repositories. Avoid third-party download sites or suspicious links received via email or messaging platforms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Palo Alto Networks Patches Critical PAN-OS Zero-Day Allowing Root Code Execution

Next Post

Critical GitLab Flaws Allow XSS and Unauthenticated DoS Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us