Threat actors have compromised an API for the CPUID project and modified download links to serve malware for the CPU-Z and HWMonitor utilities.
According to reports from users and cybersecurity researchers, attackers gained access to a secondary API linked to CPUID’s website and made some changes that led to users being redirected to files hosted on Cloudflare R2 that delivered trojanized versions of software disguised as legitimate tools.
The incident came to light after users reported on Reddit that downloads were serving a suspicious file named “HWiNFO_Monitor_Setup.” When executed, the file launched a Russian-language installer wrapped in Inno Setup, which differs from CPUID’s normal distribution methods. At the same time, direct download links to original files, such as hwmonitor_1.63.exe, remained unaffected.
Independent analysis by security groups confirmed that the attack involved a sophisticated multi-stage malware loader. Researchers noted that the malware operates largely in memory, employs file masquerading techniques, and attempts to evade detection by proxying system-level functions through a .NET assembly.
CPUID has confirmed the breach, saying that the compromise stemmed from a “secondary feature” within its infrastructure, which caused the website to serve malicious links. The company said that its digitally signed original executables were not altered.
“Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed,” the post said.
The breach affected several products, including CPU-Z version 2.19, HWMonitor version 1.63, HWMonitor Pro version 1.57, and PerfMonitor version 2.04. The malicious packages reportedly included legitimate signed executables bundled with a rogue DLL file called “CRYPTBASE.dll” used to sideload malware. The DLL enabled command-and-control communication and executed additional payloads after performing anti-sandbox checks.
The final payload delivered in the campaign was the STX remote access trojan, designed to steal sensitive information. Researchers linked the infrastructure used in the attack to a previous campaign involving fake FileZilla downloads.
More than 150 users are believed to have downloaded the compromised files, including individuals and organizations across sectors such as retail, manufacturing, telecommunications, and agriculture, particularly in Brazil, Russia, and China.