Official CPUID Downloads Weaponized During Six-Hour Breach
Threat actors infiltrated a secondary API belonging to the CPUID project and silently altered the download links hosted on its official website. The tampered links redirected users to malicious executables masquerading as legitimate copies of CPU-Z and HWMonitor — two widely trusted utilities that millions of users rely on for monitoring internal hardware health and retrieving detailed system specifications.
The incident was discovered when users began reporting on Reddit that the official download portal was pointing to Cloudflare R2 storage and delivering a trojanized version of HWiNFO, a separate hardware diagnostics tool developed by a different company. The malicious file was named HWiNFO_Monitor_Setup, and executing it launched a Russian-language installer wrapped in Inno Setup — an atypical packaging approach that immediately raised red flags for security researchers.
Original Binaries Remained Intact
Importantly, users who knew the direct download URL were reportedly still able to fetch the legitimate hwmonitor_1.63.exe, suggesting that the original signed binaries were never tampered with. The attack targeted the distribution links rather than the files themselves — effectively poisoning the download chain while leaving the source files untouched.
In its official statement to BleepingComputer, a CPUID spokesperson confirmed the scope of the incident:
"Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed." — CPUID
The spokesperson also noted that the attack occurred while the project's main developer was away on holiday, a detail that may have contributed to the delay in detection and response.
A Sophisticated, Multi-Stage Loader
The malware involved is far from a simple dropper. Independent analysis by Igor's Labs and security research collective @vxunderground confirmed the presence of a technically advanced loader employing established techniques, tactics, and procedures (TTPs). Vxunderground published a detailed breakdown of its findings:
"As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly." — vxunderground
The in-memory execution strategy and NTDLL proxying via a .NET assembly are particularly notable. By avoiding writes to disk and rerouting low-level Windows API calls, the malware is engineered to slip past endpoint detection and response (EDR) platforms as well as traditional antivirus solutions.
Antivirus Detection and Malware Classification
The malicious ZIP archive distributed through the poisoned links was flagged by 20 antivirus engines on VirusTotal at the time of reporting, though no unified classification had emerged. Some engines identified the payload as Tedy Trojan, while others labeled it Artemis Trojan. Researchers examining the fake HWiNFO variant on VirusTotal suggested it functions as an infostealer, designed to harvest sensitive data from infected systems.
Same Threat Actor Linked to FileZilla Attack
Researchers believe the group responsible for the CPUID compromise is the same threat actor that targeted users of the FileZilla FTP solution the previous month. This pattern indicates a deliberate focus on popular, widely distributed software utilities — tools that attract large audiences of technical users who are likely to have elevated system access or store valuable credentials.
Scope, Timeline, and Remediation
According to CPUID, the API compromise lasted for roughly six hours spanning April 9 and April 10, 2026. During that window, the main website intermittently served malicious download links to visitors. The company has since closed the breach and confirmed that current downloads for both CPU-Z and HWMonitor are clean and unmodified.
Users who downloaded either tool during the affected period are strongly advised to:
- Scan their systems with multiple up-to-date antivirus or anti-malware tools
- Check for suspicious processes running entirely in memory
- Rotate any credentials or tokens stored on the affected machine
- Re-download the utilities from the official CPUID site now that the issue has been resolved
BleepingComputer reached out to CPUID for additional details regarding the exact timeline, the affected versions, and recommended steps for impacted users. The company's response confirmed the breach window and indicated that investigations are ongoing.
A Growing Trend in Supply Chain Targeting
This incident adds to a growing list of supply chain attacks targeting software download infrastructure. By compromising the distribution layer rather than the source code itself, attackers can reach large numbers of end users without triggering the integrity checks that protect signed binaries. The CPUID breach demonstrates that even a brief window of access to a secondary API can be sufficient to expose millions of potential victims to sophisticated malware.
Source: BleepingComputer