CPUID website hacked: HWMonitor and CPU-Z used to deliver malware

Based on the analysis, it was determined that the official website of CPUID, the maker of popular hardware monitoring tools CPU-Z and HWMonitor, became the target of a cyberattack.

According to available information, during a limited period spanning 9–10 April 2026, the attackers compromised part of the website’s backend infrastructure, particularly a component functioning as a “side API”. As a result, the official download links presented to users were randomly redirected to malicious files.

In its official statement, CPUID noted that the incident lasted for approximately six hours. However, the original signed versions of the software were not compromised. The impact of the attack was primarily limited to the manipulation of the download delivery mechanism.

Initial suspicions emerged on the basis of anomalies observed by users. Specifically, some users attempting to update or download HWMonitor and CPU-Z encountered installers that either tripped antivirus alerts or showed up under odd names. One example that did the rounds had the HWMonitor 1.63 update pointing to a file called “HWiNFO_Monitor_Setup.exe”. This, in turn, led users to conclude that the download process had been subjected to third-party interference.

The investigation indicates that the malicious files delivered to users were presented in the form of trojanized installers. These files contained a legitimate signed executable and a malicious dynamic-link library named “CRYPTBASE.dll”. The mechanism in question was activated through the DLL side-loading technique.

Among the rogue and malicious domains reportedly used during the attack were the following:
• cahayailmukreatif.web[.]id
• pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev
• transitopalermo[.]com
• vatrobran[.]hr

Through these domains, the trojanized software was distributed both as ZIP archives and as standalone installers.

Malicious components then reached out to a command-and-control (C2) server to pull down additional payloads. Furthermore, the malware was observed to operate almost entirely in memory, which enabled it to evade detection by antivirus and EDR systems. The use of PowerShell scripts during the attack was also widely documented.

The primary goal of the attack was data theft, specifically browser credentials. In this context, it was reported that the malware attempted to interact with Google Chrome’s IElevation COM interface to access and decrypt stored credentials.

According to expert analysis, this campaign is linked to similar attack infrastructure previously used in March 2026 against users of the FileZilla software. This suggests that the incident was not isolated, but rather formed part of a planned campaign relying on reused technical infrastructure.

In some cases, the malicious payload reportedly resulted in the installation of STX RAT (Remote Access Trojan). This malware enables threat actors to obtain extensive control over compromised systems, execute additional malicious components and carry out post-exploitation activities.

More than 150 victims have been identified, mostly individuals who were affected by the incident. However, organizations have also been impacted.

At present, CPUID has fixed the issue and restored its services. Nevertheless, the incident once again demonstrates the growing threat posed by supply chain attacks. In such attacks, it is not the software itself, but rather the distribution infrastructure through which it is delivered, that is targeted.