HWMonitor Trojanized to Deliver Multi-Stage STX RAT via DLL Sideloading

EXECUTIVE SUMMARY:

A malware campaign involving trojanized versions of the legitimate HWMonitor application that were weaponized to distribute the STX Remote Access Trojan (RAT) through DLL sideloading and multi-stage payload execution. The attackers leveraged the trust associated with widely used system-monitoring software to trick victims into downloading malicious installers that appeared legitimate but secretly executed embedded malicious components. Once launched, the altered executable abused DLL sideloading techniques to load a malicious library instead of the legitimate dependency, allowing attackers to evade traditional antivirus detection and execute malicious code under the context of a trusted process. The campaign demonstrated strong operational security and layered infection mechanisms designed to complicate forensic analysis and delay detection. By combining software trojanization, staged payload delivery, encrypted communications, and stealth-focused execution methods, the threat actors created a resilient infection chain capable of establishing persistent remote access on compromised systems.[emaillocker id="1283"]

The infection chain begins when users execute a trojanized HWMonitor installer containing both legitimate application components and malicious payloads engineered to initiate DLL sideloading. During execution, the trusted executable searches for required dynamic-link libraries within the local application directory, where attackers strategically placed a malicious DLL masquerading as a legitimate dependency. This malicious library initiates the first stage of the attack by decrypting and loading additional payloads directly into memory, significantly reducing disk-based forensic artifacts and improving evasion capabilities. The malware then deploys the STX RAT, a remote access trojan capable of command execution, system reconnaissance, persistence establishment, process manipulation, and data collection. Researchers observed the malware using obfuscated code, encrypted strings, and staged execution routines to hinder reverse engineering efforts. In several instances, the malware leveraged process injection and reflective loading techniques to operate within legitimate system processes and maintain stealth. Network communications between infected systems and command-and-control infrastructure were also encrypted, making detection through conventional traffic inspection more difficult.

This campaign demonstrates how threat actors continue to evolve beyond traditional phishing-based malware delivery by weaponizing trusted software and exploiting legitimate application behavior to bypass security mechanisms. The abuse of DLL sideloading within a trojanized HWMonitor package allowed attackers to disguise malicious execution as normal application activity, significantly increasing the likelihood of successful compromise. The deployment of STX RAT through a multi-stage infection architecture further enhanced the campaign’s ability to evade detection, maintain persistence, and provide attackers with extensive remote control capabilities over compromised environments. The operation also reflects broader trends in modern cyber threats, where adversaries increasingly rely on stealth-oriented execution methods, memory-resident payloads, and trusted application abuse to compromise systems while minimizing forensic evidence. Organizations should strengthen software verification procedures, monitor abnormal DLL loading behavior, implement application allowlisting, and enhance endpoint detection capabilities focused on behavioral analysis rather than signature-based detection alone.

THREAT PROFILE:

MBC MAPPING:

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/hackers-abuse-legitimate-hwmonitor-binary/

https://gurucul.com/blog/hwmonitor-trojanized-to-deliver-multi-stage-stx-rat-via-dll-sideloading/