CPUID Hijacked: CPU-Z, HWMonitor Downloads Served Malware

CPUID, the French software company behind the widely-used CPU-Z and HWMonitor utilities, suffered a supply chain compromise this week that turned its official download links into malware delivery mechanisms for approximately six hours.

The attack, which occurred between April 9 and April 10, 2026, hijacked a secondary API on the CPUID website, causing download links to randomly redirect users to trojanized installers hosted on Cloudflare R2 storage buckets.

What Happened

Security researchers on Reddit first flagged suspicious activity when users attempting to download HWMonitor received a file named "HWiNFO_Monitor_Setup.exe" instead of the expected "hwmonitor_1.63.exe." Windows Defender immediately flagged the installer, which displayed Russian-language prompts via an Inno Setup wrapper—a stark departure from CPUID's normal French-language distribution.

The attackers didn't compromise CPUID's core infrastructure or signed binaries. Instead, they targeted what CPUID described as "a secondary feature (basically a side API)" that controlled download link generation on the main website. This approach mirrors the recent Smart Slider compromise where attackers poisoned a distribution channel without touching the source code itself.

Igor's Lab and the security research collective @vxunderground independently confirmed the compromise within hours.

Affected Software

The attack impacted multiple CPUID products:

• CPU-Z 2.19 — System information utility
• HWMonitor 1.63 — Hardware monitoring tool
• HWMonitor Pro 1.57 — Commercial version
• PerfMonitor 2 v2.04 — Performance monitoring utility
• powerMAX 1.00 — System stress testing tool

CPU-Z alone has been downloaded hundreds of millions of times, making it a high-value target for credential theft operations.

How the Malware Works

According to technical analysis shared by security researchers, the malicious payload uses sophisticated evasion techniques rarely seen in commodity malware:

DLL Sideloading: The installer drops a malicious CRYPTBASE.dll alongside legitimate HWMonitor binaries. When the legitimate executable loads, it inadvertently loads the trojanized DLL first.

Zig Compiler: The malware was compiled using Zig rather than traditional C/C++ compilers, helping it evade signature-based detection tuned for common toolchains.

In-Memory Execution: The payload operates almost entirely in memory, compiling a .NET assembly on the victim's machine at runtime. It uses PowerShell with stdin piping to avoid command-line logging and downloads additional code stages dynamically.

NTDLL Proxying: To bypass endpoint detection tools, the malware proxies NTDLL functionality through a .NET assembly—an unusual technique that helps it avoid API hooking commonly used by security software.

The primary goal appears to be stealing browser credentials. Analysis shows the malware interacting with Google Chrome's IElevation COM interface, which can be exploited to dump and decrypt saved passwords. This is a familiar tactic—we covered similar credential theft techniques targeting browser data stores earlier this month.

Persistence Mechanisms

The malware establishes four independent persistence mechanisms:

1. Registry Run Keys — Hidden PowerShell commands execute MSBuild project files on login
2. Scheduled Tasks — Triggers every 68 minutes with a 20-year duration
3. COM Hijacking — Scriptlets hijack TypeLib GUIDs to execute on system events
4. MSBuild Payloads — XOR-encrypted shellcode stored in .proj files

Files are staged in AppData\Local\Microsoft\MSBuild\ directories, masquerading as legitimate build cache files.

Connection to Previous Campaigns

The same threat actor appears to have targeted FileZilla users in early March 2026, using identical infrastructure. Both campaigns leveraged the C2 domain supp0v3.com, registered in October 2025, with payloads hosted on Cloudflare R2 buckets.

The backend server at 147.45.178.61 (ASN 215540, Frankfurt, Germany) was previously associated with campaigns exploiting CVE-2023-36025, a Windows SmartScreen bypass vulnerability.

This pattern of targeting widely-used utilities suggests a deliberate campaign against software supply chains—similar to the North Korean operation we reported on targeting NPM and PyPI package repositories.

Indicators of Compromise

Malicious ZIP Package:

• SHA256: eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46

CRYPTBASE.dll (DLL Sideload):

• SHA256: 49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524

C2 Infrastructure:

• Domain: supp0v3.com
• Callback: https://welcome.supp0v3.com/d/callback
• IP: 147.45.178.61

Cloudflare R2 Buckets:

• pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev
• pub-fd67c956bf8548b7b2cc23bb3774ff0c.r2.dev
• pub-f3252d8370f34f0d9f3b3c427d3ac33c.r2.dev

What You Should Do

CPUID has confirmed the issue is resolved and the website now serves clean binaries. If you downloaded CPU-Z, HWMonitor, or related CPUID tools between April 9-10, 2026:

1. Check download timestamps — If you downloaded during the six-hour window, assume compromise
2. Run antivirus scans — Multiple AV engines now detect the payload as Tedy or Artemis Trojan variants
3. Check persistence locations — Look for unexpected .proj files in AppData\Local\Microsoft\MSBuild\
4. Change browser passwords — The malware specifically targets Chrome saved credentials
5. Verify file hashes — Compare your downloaded files against the IOCs listed above

For those learning about malware defense strategies, this incident underscores why even trusted software sources can become attack vectors. Consider using package managers with integrity verification or downloading from multiple mirrors when possible.

The Bigger Picture

Supply chain attacks continue gaining favor with threat actors because they provide immediate access to large, trusting user bases. CPUID's tools are staples of hardware enthusiast and IT professional workflows—exactly the demographic likely to have elevated privileges and access to sensitive systems.

The attackers' infrastructure investment—Cloudflare R2 for delivery, DNS-over-HTTPS for C2 resolution, Zig compilation for evasion—suggests this isn't a casual operation. The six-hour compromise window, while brief, could have affected thousands of downloads given CPU-Z's popularity.

Organizations should monitor for the listed IOCs and treat any CPUID software downloaded during the affected timeframe as potentially compromised.