If you downloaded CPU-Z or HWMonitor from cpuid.com between April 9 and 10, 2026, you may have gotten far more than a hardware monitoring tool.
The website of CPUID — the French developer behind the widely used hardware diagnostics tools CPU-Z and HWMonitor — was breached by unknown attackers, and visitors who tried to download these tools were instead served a malware-laced installer.
CPUID has since confirmed the breach, blaming a compromised backend API component rather than its core software builds. "It appears that a secondary feature — basically a side API — was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links," founder Samuel Demeulemeester said on X.
The red flags surfaced fast. The issue first appeared through user reports on Reddit, where someone attempting to update HWMonitor to version 1.63 was redirected from the official CPUID site to a suspicious file named HWiNFO_Monitor_Setup.exe — a completely different product from a different developer. The installers also launched in Russian and triggered immediate Windows Defender alerts — sloppy tells that helped limit the blast radius.
Under the hood, the malware was anything but sloppy. According to vx-underground, the threat is "deeply trojanized, multi-staged, operates almost entirely in-memory, and uses interesting methods to evade EDRs and antivirus systems."
The payload drops a rogue CRYPTBASE.dll — a DLL sideloading technique that hijacks a legitimate Windows component name — to establish persistence and connect back to a command-and-control server. The primary goal appears to have been credential theft, with the malware actively probing Google Chrome's IElevation COM interface to dump and decrypt saved passwords.
This attack doesn't exist in isolation. The C2 infrastructure at supp0v3[.]com was also used in a March 2026 campaign distributing trojanized FileZilla installers, reported by Malwarebytes — the same threat actor, recycling the same playbook.
According to Kaspersky's KEDR team, the final-stage RAT used is the known "STX RAT," flagged by eSentire, and fully detectable by existing YARA rules. More than 150 victims were identified, including individuals and organizations across retail, manufacturing, telecoms, and agriculture, with most infections concentrated in Brazil, Russia, and China.
CPUID has since fixed the problem and appears to be serving clean versions of both CPU-Z and HWMonitor. But if you downloaded either tool on April 9 or 10, treat your system as potentially compromised.
What to do now:
- Scan your system immediately if you downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor 2 from cpuid.com during the window.
- Check DNS logs for connections to
supp0v3[.]com,cahayailmukreatif.web[.]id,transitopalermo[.]com, orvatrobran[.]hr. - Rotate any browser-saved passwords — Chrome credentials were the specific target.
- Re-download only from cpuid.com after verifying file hashes against CPUID's official checksums.