CPUID website briefly served malware in place of HWMonitor and CPU‑Z downloads

April 10, 2026
aisecuritylawmobile

What happened

It has been reported that visitors to CPUID's site were briefly fed malicious installers this week, with trusted download links for tools such as HWMonitor and CPU‑Z pointing at dodgy files instead of the expected releases. Users on Reddit and elsewhere raised the alarm after installers tripped antivirus engines or showed up under odd names — one HWMonitor 1.63 link reportedly led to a file called "HWiNFO_Monitor_Setup.exe." CPUID has said the incident was caused by a compromised secondary backend feature and not by tampering with signed builds: "our signed original files were not compromised," the company posted.

How the malware allegedly worked

Analysis shared by vx‑underground says the malicious installer targeted 64‑bit HWMonitor users and dropped a fake CRYPTBASE.dll designed to blend in with legitimate Windows components. From there the code allegedly reached out to command‑and‑control servers, leaned on PowerShell to stay largely in memory, compiled a .NET payload on the host, and injected it into other processes — classic fileless tricks. Researchers also saw behavior consistent with credential theft: the malware was observed interacting with Chrome's IElevation COM interface, a method that can expose stored credentials. The same analysis allegedly links the infrastructure to earlier campaigns, including one that targeted FileZilla users.

Scope, response and the trust problem

CPUID says the compromised side‑API was active for roughly six hours between April 9 and April 10 and that the flaw has been fixed. It has been reported that the original files remained signed and the build pipeline was not accessed — small comfort if you clicked a swapped link and pulled whatever it pointed to. How many people actually downloaded the malicious payload? That remains unclear. But the emotional punch is real: a long‑trusted source suddenly turns into a roulette wheel. Supply‑chain and distribution‑stage attacks have been the industry’s scarlet letter since SolarWinds — and this is another reminder that attackers don't need to touch your code to wreck your day.

What to do now

If you downloaded CPUID tools during the window, re‑download them from the site now that CPUID says the issue is fixed, and verify signatures or checksums where possible. Run a full system scan with an up‑to‑date AV and consider changing passwords for any accounts accessed from the affected machine. Vigilance isn't glamorous, but right now it’s the only thing standing between you and the next clever detour.

Sources: The Register