Analyzing CPUID supply chain attack on HWMonitor & CPU-Z

For over two decades, CPUID's CPU-Z and HWMonitor have been among the most trusted tools for hardware diagnostics, system information and real-time monitoring. On April 9-10, 2026, that long-standing trust was temporarily exploited when the official website cpuid.com served trojanized installers to users for approximately six hours.

The attackers did not tamper with the signed application binaries stored on CPUID's servers. Instead, they compromised a secondary API, which allowed them to redirect download links to malicious payloads. CPUID has since remediated the issue, and current downloads from the site are verified as clean.

Anatomy of the April 9-10 breach

According to CPUID developer Samuel Demeulemeester, the incident began in the late hours of April 9 and continued into the early morning of April 10. During this window, the main website intermittently displayed malicious download links instead of directing users to the legitimate server directories.

The timing coincided with the primary developer, Franck Delattre, being on leave, which may have contributed to a slight delay in initial detection. Once reports surfaced, the team acted quickly: the compromised API was flushed, the website was briefly taken offline for remediation, and clean distribution was restored.

Targeted software

The attack specifically affected the latest versions of CPUID's flagship products:

• HWMonitor 1.63
• CPU-Z 2.19

Users attempting to download these versions during the breach window were often redirected to a file named HWiNFO_Monitor_Setup.exe. This naming was an immediate red flag, as it referenced HWiNFO - a competing diagnostic utility from a different developer. Additionally, the installer displayed Russian-language prompts, unlike the standard English-localized versions from CPUID.

Technical analysis of the payload

Independent analysis by vx-underground and other researchers revealed a sophisticated, multi-staged malware designed for stealth and persistence. The payload operated largely in memory to evade traditional disk-based Endpoint Detection and Response (EDR) tools.

Detection and behavior

At the time of discovery, VirusTotal scans of the malicious installers showed detections from approximately 30-32 security vendors. The threat has been classified under names including Tedy Trojan, Artemis Trojan, and associations with STX RAT.

Key technical elements include:

• Credential theft - Primary focus on exfiltrating sensitive data, particularly browser-stored credentials (e.g., Chrome).
• DLL hijacking - Use of a modified system library (CRYPTBASE.dll, compiled with Zig) to achieve persistence and load additional modules.
• C2 communication - Hardcoded command-and-control server domain enabling immediate callback and download of further payloads.

The malware shares infrastructure similarities with earlier campaigns, including the March 2026 FileZilla incident, suggesting possible overlap in tactics or actors.

Implications for software distribution

This incident highlights the growing vulnerability of the “trusted source” model. When a long-established distribution point like cpuid.com is compromised via a side channel, the common advice to “always download from the official website” can itself become the infection vector.

For the broader software industry, the attack underscores that protecting core binaries and digital signatures is only part of the challenge - the entire delivery pipeline, including APIs and frontend redirects, must be equally hardened. The rise of memory-resident, polymorphic malware also reinforces the need for behavioral detection over signature-based solutions alone.

What affected users should do

If you downloaded or installed HWMonitor 1.63 or CPU-Z 2.19 from cpuid.com between April 9 and April 10, 2026, treat the system as potentially compromised. The malware's design (credential theft and additional module downloads) means simply deleting the installer is not enough.

Recommended immediate actions:

• Run a full system scan with up-to-date antivirus/anti-malware software.
• Change passwords for all critical accounts (email, banking, cryptocurrency wallets, etc.), preferably from a clean device.
• Enable multi-factor authentication (MFA) everywhere it is available.

For users handling sensitive professional or financial data, security researchers recommend considering a full operating system reinstallation to eliminate any memory-resident components or modified system DLLs.

CPUID has confirmed that the website is now back online with restored integrity. All current downloads are clean and safe.