Executive Summary

Between April 9 and April 10, 2026, the official website of CPUID, the vendor behind the widely used CPU-Z and HWMonitor utilities, was compromised for approximately six hours. Attackers gained access to a secondary backend API, altering download links on the site to serve a trojanized installer instead of legitimate binaries. The malicious file, masquerading as a legitimate hardware monitoring tool, was designed to steal browser credentials and potentially other sensitive information. The original, signed binaries of CPU-Z and HWMonitor were not compromised; only the download links were affected. The breach was discovered and remediated by CPUID on April 10, 2026, and clean versions are now being served. This incident highlights the risks associated with supply chain attacks on trusted software distribution channels and the potential for widespread impact across both consumer and enterprise environments. All information in this summary is based on the verified content from BleepingComputer, The Register, and PC Gamer, as cited in the References section.

Technical Information

The attack on CPUID represents a sophisticated supply chain compromise, targeting the distribution mechanism rather than the software build process itself. Attackers exploited a vulnerability in a secondary API or backend feature, which allowed them to modify download links on the official CPUID website. As a result, users attempting to download CPU-Z or HWMonitor were redirected to a malicious executable named HWiNFO_Monitor_Setup.exe, hosted on Cloudflare R2 storage. This file was not a legitimate update but a trojanized installer that initiated a multi-stage malware infection process.

Upon execution, the malicious installer launched a Russian-language setup wrapped in an Inno Setup installer, which was atypical for CPUID products and immediately raised suspicion among users. The installer included a fake CRYPTBASE.dll, a dynamic-link library designed to mimic legitimate Windows components. This DLL established communication with a remote command-and-control (C2) server, from which it downloaded additional payloads. The malware operated primarily in-memory, leveraging PowerShell and .NET assemblies to evade detection by endpoint detection and response (EDR) and antivirus (AV) solutions. Specifically, it used techniques such as proxying NTDLL functionality from a .NET assembly, process injection, and file masquerading to remain stealthy.

The payload compiled a .NET infostealer on the victim machine, which was then injected into other processes. Analysis revealed that the malware targeted browser credentials, interacting with Google Chrome's IElevation COM interface to access and decrypt stored credentials. The infection chain was multi-staged, with each stage designed to minimize disk footprint and maximize evasion of security controls.

VirusTotal scans flagged the malicious ZIP file by at least 20 antivirus engines, with some identifying it as Tedy Trojan or Artemis Trojan. Independent researchers, including vx-underground, confirmed that the malware was not a typical commodity threat but a deeply trojanized, multi-stage infostealer with advanced evasion capabilities.

The attack did not compromise the integrity of the original CPU-Z and HWMonitor binaries, which remained properly signed and available via direct URLs. The compromise was limited to the distribution mechanism, specifically the download links presented to users on the official website. This distinction is critical, as it indicates that the attackers did not gain access to the software development or signing infrastructure.

The threat group responsible for this attack is believed to be the same actor that targeted FileZilla users in March 2026, employing similar tactics, techniques, and procedures (TTPs). The focus on popular utilities suggests a strategy aimed at maximizing the number of potential victims and the value of stolen data.

The technical details of the attack align with several MITRE ATT&CK techniques, including T1195 (Supply Chain Compromise), T1204 (User Execution), T1027 (Obfuscated Files or Information), T1055 (Process Injection), T1218 (Signed Binary Proxy Execution), T1071 (Application Layer Protocol), T1105 (Ingress Tool Transfer), T1555 (Credentials from Password Stores), and T1003 (OS Credential Dumping). The use of in-memory execution, process injection, and credential theft demonstrates a high level of sophistication and an understanding of modern defensive technologies.

No evidence was found of law enforcement or regulatory filings related to this incident as of the reporting dates. The attack underscores the importance of securing not only software development processes but also all components of the software distribution chain, including APIs and backend infrastructure.

Affected Versions & Timeline

The compromise affected users who attempted to download CPU-Z or HWMonitor from the official CPUID website during a six-hour window between April 9 and April 10, 2026. The malicious download links were active only during this period. The original, signed binaries for both tools were not altered or compromised; only the download links were manipulated to serve the trojanized installer.

CPUID has confirmed that the breach was discovered and remediated on April 10, 2026. Clean versions of both CPU-Z and HWMonitor are now being served from the official website. Users who downloaded these tools outside the affected window or via direct URLs to the original binaries were not impacted.

Threat Activity

The threat actor behind this attack demonstrated a high level of technical capability, focusing on supply chain compromise as the initial access vector. By targeting a secondary API or backend feature, the attackers were able to alter download links without needing to compromise the software build or signing process. This approach allowed them to distribute a trojanized installer to a large user base, including both consumers and enterprises.

The malware delivered via the compromised download links was multi-staged and operated primarily in-memory, making it difficult to detect and analyze. The use of a fake CRYPTBASE.dll enabled the malware to communicate with a remote C2 server, from which it downloaded additional payloads. The final payload was a .NET-based infostealer, designed to extract browser credentials and potentially other sensitive information from infected systems.

The attack was opportunistic, occurring while the main developer at CPUID was on holiday, which may have delayed detection and response. The same threat group is believed to have conducted a similar campaign against FileZilla users in March 2026, indicating a pattern of targeting widely used utilities to maximize impact.

The malware's evasion techniques included file masquerading, in-memory execution, process injection, and the use of legitimate-looking DLLs. These methods were effective in bypassing many traditional security controls, as evidenced by the delayed detection and the number of users who reported issues only after antivirus alerts or unusual installer behavior.

The campaign's linkage to previous attacks on FileZilla is supported by similarities in TTPs, infrastructure, and malware behavior. However, no specific threat actor has been publicly identified in the available sources.

Mitigation & Workarounds

The following mitigation steps are prioritized by severity:

Critical: Organizations and individuals who downloaded CPU-Z or HWMonitor from the official CPUID website between April 9 and April 10, 2026, must immediately assume compromise. Systems where the trojanized installer (HWiNFO_Monitor_Setup.exe) was executed should be isolated from networks, and a full forensic investigation should be conducted to identify and remediate any malware persistence or credential theft.

High: All credentials, especially browser-stored passwords and system credentials, used on potentially compromised systems should be considered exposed and must be changed. Multi-factor authentication (MFA) should be enforced wherever possible to mitigate the risk of credential misuse.

High: Endpoint detection and response (EDR) solutions should be updated with the latest threat intelligence and signatures related to this campaign. Security teams should review logs for evidence of in-memory execution, process injection, and unusual network connections to C2 infrastructure.

Medium: Users should verify the integrity of all downloaded software by checking digital signatures and obtaining binaries directly from trusted sources. Organizations should implement software allowlisting and restrict the execution of unsigned or untrusted binaries.

Medium: Review and secure all components of the software distribution chain, including APIs, backend features, and storage services. Regularly audit access controls and monitor for unauthorized changes to download links or distribution mechanisms.

Low: Provide user awareness training on the risks of supply chain attacks and the importance of verifying software authenticity before installation.

References

BleepingComputer: https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/ (April 10, 2026)

The Register: https://www.theregister.com/2026/04/10/cpuid_site_hijacked/ (April 10, 2026)

PC Gamer: https://www.pcgamer.com/software/security/cpuids-download-page-has-been-hacked-with-its-popular-processor-and-pc-info-tools-replaced-with-links-to-files-containing-malware/ (April 10, 2026)

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their software supply chain and vendor ecosystem. Our platform delivers actionable insights into vendor risks, supports rapid incident response, and helps organizations identify and mitigate vulnerabilities in software distribution channels. For questions regarding this incident or to discuss how to strengthen your supply chain security, contact us at ops@rescana.com.