CPUID Supply Chain Attack Distributes STX RAT, Three Gangs Drive 40% of March Ransomware

CPUID’s website was compromised to push STX RAT through trojanized CPU-Z and HWMonitor downloads, landing the same day researchers confirmed active exploitation of a critical Marimo RCE vulnerability. On the ransomware front, three groups (Qilin, Akira, and Dragonforce) accounted for 40% of 672 March incidents, signaling consolidation into fewer, more capable operations. Russian APT28 rounded out a heavy threat intelligence day with a DNS manipulation campaign targeting Microsoft authentication tokens across 18,000 networks.

Top 5 Critical Security Alerts

1. CPUID Compromised to Distribute STX RAT via Trojanized CPU-Z and HWMonitor

Threat actors breached CPUID’s website and replaced legitimate downloads of CPU-Z and HWMonitor with versions containing STX RAT, a remote access trojan. The compromise lasted under 24 hours but affected an unknown number of downloads during that window. Anyone who downloaded these tools recently should verify file hashes and scan for indicators of compromise. The Hacker News

Operator Note: Supply chain attacks targeting trusted software distributors bypass perimeter defenses entirely. Your vulnerability management program needs to account for compromised legitimate tools, not just unknown threats.

2. Critical Marimo Pre-Auth RCE Flaw Now Under Active Exploitation

A critical vulnerability in the Marimo Python notebook framework allows unauthenticated remote code execution. Attackers are exploiting it in the wild to steal credentials from exposed instances. Organizations running Marimo should patch immediately or take instances offline. BleepingComputer

3. Three Ransomware Gangs Drove 40% of All Attacks in March

Qilin, Akira, and Dragonforce accounted for 40% of 672 ransomware incidents reported in March 2026, according to Check Point. The consolidation of ransomware operations into fewer, more capable groups signals a shift in the threat landscape. Infosecurity Magazine

4. Nearly 4,000 US Industrial Devices Exposed to Iranian Cyberattacks

Researchers identified approximately 4,000 US-based industrial control system devices directly accessible from the internet and vulnerable to known attack vectors used by Iranian threat actors. The exposed devices include PLCs, HMIs, and SCADA systems across energy, water, and manufacturing sectors. BleepingComputer

Operator Note: Internet-exposed OT devices are the textbook example of unmanaged attack surface. If your organization runs industrial control systems, an external asset discovery scan should be running continuously.

5. Hims Telehealth Breach Exposes Sensitive Protected Health Information

Threat actors compromised the telehealth platform Hims and accessed highly sensitive patient health information including treatment details and medical conditions. The breach is notable for the specificity of the PHI exposed, going beyond names and insurance numbers into clinical data. Dark Reading

Additional Security Alerts

Threat Intelligence

• Russia’s Forest Blizzard Harvests Microsoft Office Tokens via SOHO Routers - Russian APT28 modified router DNS settings across 18,000 networks to intercept Microsoft authentication tokens without deploying malware. The technique avoids endpoint detection entirely. Krebs on Security

• STX RAT Targets Finance Sector With Advanced Stealth Tactics - The same RAT found in the CPUID compromise is also being deployed in targeted campaigns against financial institutions using advanced command-and-control infrastructure. Infosecurity Magazine

• Germany Identifies REvil and GandCrab Ransomware Leader - German authorities named 31-year-old Daniil Shchukin as the operator behind REvil and GandCrab, the groups that pioneered double extortion tactics. Krebs on Security

Security Breaches & Incidents

• Bitcoin Depot Loses $3.6M in Crypto Theft After System Breach - Hackers stole over 50 Bitcoin (approximately $3.66 million) after compromising Bitcoin Depot’s internal systems. Infosecurity Magazine

• Over 20,000 Crypto Fraud Victims Identified in International Crackdown - Law enforcement across multiple countries identified tens of thousands of victims in a coordinated operation targeting cryptocurrency fraud networks. BleepingComputer

• Hackers Steal and Leak Sensitive LAPD Documents - The World Leaks gang breached Los Angeles Police Department systems and publicly released sensitive law enforcement records. TechCrunch

Emerging Security Technologies

• Google Chrome Rolls Out Session Cookie Protection Against Infostealers - Chrome’s new Device Bound Session Credentials feature binds session cookies to specific devices, preventing malware from harvesting and replaying stolen session data. Infosecurity Magazine

• Anthropic’s New AI Model Can Write Exploits for Zero-Day Vulnerabilities - Anthropic released a model capable of discovering and exploiting unpatched vulnerabilities, raising questions about safeguards for dual-use AI security tools. Dark Reading

The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.