CPUID hacked to deliver malware via CPU-Z, HWMonitor downloads
Source: Bleeping Computer
Incident Overview
Hackers gained access to an API for the CPUID project and altered the download links on the official website. The compromised links now serve malicious executables for the popular CPU‑Z and HWMonitor utilities, which have millions of users relying on them for hardware health monitoring and system specifications.
Reddit users reported that the official download portal now points to the Cloudflare R2 storage service and fetches a trojanized version of HWiNFO, another diagnostic and monitoring tool from a different developer.
Malicious Payload
- The malicious file is named
HWiNFO_Monitor_Setup. - Running it launches a Russian installer wrapped with Inno Setup, which is atypical and highly suspicious.
- Users noted that the clean
hwmonitor_1.63.execould still be downloaded directly, indicating that the original binaries remain intact while the distribution links were poisoned.
The externalized download chain was confirmed by Igor’s Labs and @vxunderground, who identified a fairly advanced loader employing known techniques, tactics, and procedures (TTPs).
“As I began poking this with a stick, I discovered this is not your typical run‑of‑the‑mill malware.” – vxunderground
“This malware is deeply trojanized, distributes from a compromised domain (cpuid‑dot‑com), performs file masquerading, is multi‑staged, operates (almost) entirely in‑memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”
The researcher also noted that the same threat group targeted users of the FileZilla FTP solution last month, suggesting a focus on widely used utilities. The downloaded ZIP is flagged by 20 antivirus engines on VirusTotal, though it lacks a clear identification. Some classify it as Tedy Trojan, others as Artemis Trojan, and several researchers label the fake HWiNFO variant as an infostealer.
Response from CPUID
BleepingComputer contacted CPUID for details. A spokesperson provided the following statement:
“Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed.” – CPUID
The source indicated that the hackers struck while the main developer was away on holiday. CPUID has now fixed the problem and is serving clean versions for both CPU‑Z and HWMonitor.