Attackers Hijack CPUID Backend, Redirect Popular System Tools to Malware

Attackers compromised a backend component of the CPUID website on April 9-10, 2026, causing download links for tools like HWMonitor and CPU-Z to randomly serve malicious installers instead of legitimate software. The breach lasted approximately six hours before CPUID identified and fixed the issue, though the company has not disclosed how many users downloaded infected files.

The attack targeted a secondary API used to serve downloads rather than the actual software builds themselves. Users began reporting the problem when antivirus software flagged suspicious installers or when downloaded files had unexpected names—one example showed an HWMonitor 1.63 installer labeled "HWiNFOMonitorSetup.exe." CPUID confirmed in a post on X that the breach was limited to how downloads were being delivered, not the signed software files themselves, which remained uncompromised.

The malicious installer analyzed by vx-underground targeted 64-bit HWMonitor users and included a fake CRYPTBASE.dll file designed to mimic legitimate Windows components. Once executed, the malware contacted a command-and-control server to download additional payloads, then used PowerShell and in-memory execution to avoid leaving traces on disk. Researchers identified attempts to access browser data, including interactions with Google Chrome's IElevation COM interface—a method used to decrypt stored credentials from the browser.

The malware's infrastructure showed connections to earlier campaigns targeting FileZilla users, suggesting this was part of a broader attack pattern rather than an isolated incident. CPUID stated that investigations were ongoing but provided no details on how the API was initially compromised or the total number of affected downloads.

Context

Supply chain attacks targeting software distribution have become increasingly common. In 2023, the 3CX software breach compromised legitimate installers and affected thousands of organizations. The CPUID incident mirrors this approach—rather than infiltrating the development process, attackers intercepted the delivery mechanism, a tactic that requires fewer technical barriers than compromising build systems but still reaches users who trust the source.

CPUID's tools, particularly CPU-Z and HWMonitor, are widely used by IT professionals, system administrators, and enthusiasts for hardware monitoring and diagnostics. CPU-Z alone has been downloaded millions of times since its release in 2000, making the CPUID website a high-value target for attackers seeking to distribute malware to a technically sophisticated audience.

What's Next

CPUID has not announced any additional security measures or timeline for a public postmortem on how the API was compromised. Users who downloaded HWMonitor or CPU-Z between April 9-10 should verify file names against official documentation and run antivirus scans on affected systems. The lack of disclosure about the breach's scope—specifically how many users were exposed or how many actually downloaded malicious files—leaves the true impact of the incident unclear and may prompt security researchers to investigate independently.