Supply chain attack at CPUID pushes malware with CPU-Z/HWMonitor
CPUID API compromised; malicious CPU-Z/HWMonitor downloads served for ~6 hours.
Summary
Attackers compromised a secondary API of CPUID and poisoned download links on the official website to serve trojanized versions of CPU-Z and HWMonitor tools. The malware, a multi-staged in-memory loader with EDR evasion techniques, was distributed for approximately six hours on April 9–10, 2026, before CPUID detected and remediated the issue. The same threat group is suspected of targeting FileZilla users the previous month, indicating a pattern of targeting widely-used utilities.
Full text
Supply chain attack at CPUID pushes malware with CPU-Z/HWMonitor By Bill Toulas April 10, 2026 09:12 AM 0 Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. The two utilities have millions of users who rely on them for tracking the physical health of internal computer hardware and for comprehensive specifications of a system. Users who downloaded either tool reported on Reddit recently that the official download portal points to the Cloudflare R2 storage service and fetches a trojanized version of HWiNFO, another diagnostic and monitoring tool from a different developer. The name of the malicious file is HWiNFO_Monitor_Setup, and running it launches a Russian installer with an Inno Setup wrapper, which is atypical and highly suspicious. Users reported that downloading the clean hwmonitor_1.63.exe from the direct URL was still possible, indicating that the original binaries were intact, but the distribution links appear to have been poisoned. The externalized download chain was also confirmed by Igor’s Labs and @vxunderground, who reported that a fairly advanced loader using known techniques, tactics, and procedures (TTPs) is involved. “As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware,” stated vxunderground. “This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.” The researcher claims that the same threat group targeted users of the FileZilla FTP solution last month, suggesting that the attacker is focusing on widely used utilities. The downloaded ZIP is flagged by 20 antivirus engines on VirusTotal, although not clearly identified. Some classify it as Tedy Trojan, and others as Artemis Trojan. Some researchers on Virustotal say that the fake HWiNFO variant is an infostealer malware. BleepingComputer has contacted CPUID to learn more about what happened, the date of the compromise, the affected versions, and what impacted users should do. A spokesperson has pr "Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed." - CPUID The same person told us that the hackers hit them at a time when the main developer was away on holiday. Currently, it appears that CPUID has fixed the problem and now serves clean versions for both CPU-Z and HWMonitor. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Smart Slider updates hijacked to push malicious WordPress, Joomla versionsHackers compromise Axios npm package to drop cross-platform malwareBackdoored Telnyx PyPI package pushes malware hidden in WAV audioTrivy supply-chain attack spreads to Docker, GitHub reposGlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
Indicators of Compromise
- malware — Tedy Trojan
- malware — Artemis Trojan
- domain — cpuid.com
- malware — HWiNFO_Monitor_Setup