
Analyzing CPUID supply chain attack on HWMonitor & CPU-Z
On April 9-10, 2026, CPUID.com was breached for six hours, serving trojanized HWMonitor 1.63 and CPU-Z 2.19 downloads. Full breakdown and user protection steps.
Between the late hours of April 9 and the early morning of April 10, 2026, users who downloaded CPU-Z or HWMonitor from the official CPUID website may have unknowingly installed a sophisticated credential-stealing trojan. The breach lasted approximately six hours - long enough to affect an unknown number of systems worldwide.
This was not a case of a shady third-party mirror or a phishing lookalike domain. The attack originated from cpuid.com itself, which is precisely what makes it so significant.
How the attack worked
CPUID's core application binaries and their digital signatures were never touched. Instead, attackers compromised a secondary API used by the website to serve download links. By manipulating that API, they were able to redirect users clicking legitimate download buttons to malicious payloads hosted elsewhere - without altering a single signed file on CPUID's own servers.
This is a textbook supply chain attack via delivery pipeline compromise. The trusted binary stayed clean; the path leading users to it was poisoned.
According to CPUID developer Samuel Demeulemeester, the timing was unfortunate: lead developer Franck Delattre was on leave when reports began surfacing, which may have contributed to a brief delay in detection. Once the team was alerted, they acted swiftly - the compromised API was flushed, the site was taken temporarily offline for remediation, and clean downloads were restored.
Which software was affected
The attack specifically targeted users downloading the then-current versions of two flagship CPUID tools:
- HWMonitor 1.63
- CPU-Z 2.19
Users who attempted to download either of these versions during the breach window were frequently redirected to a file named HWiNFO_Monitor_Setup.exe - a deliberate attempt to impersonate HWiNFO, a competing diagnostic utility from an entirely separate developer. The installer also presented Russian-language prompts, a jarring inconsistency for anyone expecting the standard English-localized CPUID interface.
What the malware actually does
Independent researchers at vx-underground and other security outfits conducted technical analysis on the captured samples. What they found was a multi-staged, memory-resident payload engineered for stealth.
The malware's primary objective is credential theft, with a particular focus on browser-stored login data - Chrome users being an obvious high-value target. Beyond initial data exfiltration, the threat establishes persistence and reaches back to its operators via a hardcoded command-and-control (C2) server, enabling the download of additional modules post-infection.
Key technical mechanisms identified include:
- DLL hijacking using a modified
CRYPTBASE.dllcompiled with the Zig programming language, enabling stealthy persistence without writing obvious files to disk - Memory-resident execution designed to evade traditional signature-based and disk-scanning EDR solutions
- C2 callback for second-stage payload delivery
At the time of discovery, VirusTotal detections hovered at 30-32 security vendors, with the threat classified under names including Tedy Trojan, Artemis Trojan, and associations with STX RAT.
Notably, the malware shares infrastructure similarities with the March 2026 FileZilla incident, suggesting possible overlap in threat actors or tooling.
Why this attack matters beyond CPUID
The standard advice in cybersecurity has long been simple: always download software from the official website. This incident directly undermines that assumption.
When attackers bypass binaries entirely and compromise the delivery mechanism - an API, a redirect layer, a CDN configuration - even the most cautious users following best practices can be infected. Digital signatures protect files. They don't protect the pipeline that delivers them.
For software vendors, this case is a reminder that security posture must extend to every component of the distribution chain: APIs, frontend redirect logic, CDN configurations, and authenticated backend access. A hardened binary sitting behind a vulnerable API is only as safe as that API.
For end users, it highlights the limits of source-based trust, and the growing importance of behavioral security tools that detect what software does at runtime - not just whether its hash matches a known-good signature.
What to do if you were affected
If you downloaded or installed HWMonitor 1.63 or CPU-Z 2.19 from cpuid.com between April 9 and April 10, 2026, your system should be treated as potentially compromised.
Simply deleting the installer is not sufficient. The malware's memory-resident design and DLL hijacking capability mean it may have already embedded itself into your system before you noticed anything was wrong.
Immediate steps to take:
- Run a full system scan using updated antivirus or anti-malware software - preferably one with behavioral detection capabilities, not signature-only scanning
- Change all critical passwords immediately - email, banking, cryptocurrency wallets, and any service storing sensitive data. Do this from a separate, clean device if possible
- Enable multi-factor authentication (MFA) on every account that supports it, without exception
- Audit your browser's saved credentials and consider revoking active sessions for sensitive services
For individuals handling sensitive professional, financial, or personal data, the security community's stronger recommendation is a full operating system reinstallation. This is the only reliable way to eliminate memory-resident components or modified system DLLs like the hijacked CRYPTBASE.dll.
Current status
CPUID has confirmed that cpuid.com is fully restored. All downloads currently available on the site have been verified as clean. The compromised API has been shut down, and the breach window is closed.
Users downloading CPU-Z or HWMonitor today are not at risk from this specific incident - though it remains good practice to verify installer hashes against any values officially published by CPUID.
Key takeaways
- Affected software: CPU-Z 2.19 and HWMonitor 1.63
- Attack vector: A secondary API on cpuid.com was compromised to redirect download links to malicious payloads - signed binaries were never modified
- Breach window: Approximately six hours, between April 9 and April 10, 2026
- Malware type: Memory-resident, multi-staged trojan designed to steal browser-stored credentials and evade EDR detection
- Persistence mechanism: DLL hijacking via a modified
CRYPTBASE.dllcompiled with Zig; hardcoded C2 server for second-stage payload delivery - Threat classification: Identified as Tedy Trojan, Artemis Trojan, and linked to STX RAT; detected by 30-32 vendors on VirusTotal at time of discovery
- Infrastructure overlap: Shares similarities with the March 2026 FileZilla supply chain attack
- Circumstantial factor: Lead developer Franck Delattre was reportedly on leave during the initial breach period
- Current status: cpuid.com has been fully remediated; all current downloads are verified clean
- Published 2026-04-11 15:29
- Modified 2026-05-20 02:20

