CPUID site hijacked to serve malware instead of HWMonitor downloads

Steven

CPUID site hijacked to serve malware instead of HWMonitor downloads

Summary

Visitors to the CPUID website were briefly served malicious installers in place of legitimate downloads for tools such as HWMonitor and CPU-Z after attackers compromised a secondary backend component. The compromise lasted about six hours between 9 and 10 April 2026 and caused trusted download links to randomly point to malware-hosting files rather than the genuine, signed binaries.

CPUID says its signed build pipeline was not breached; instead a side API that served download links was hijacked and has since been fixed. Analysis shows the malicious installer targeted 64-bit HWMonitor users, used a fake CRYPTBASE.dll, leaned on PowerShell to operate largely in memory, compiled and injected a .NET payload, and attempted to harvest browser credentials via Chrome interfaces. Researchers also noted links to infrastructure used in earlier supply-chain style campaigns.

Key Points

  1. A secondary backend/API on CPUID’s site was compromised for roughly six hours, swapping legitimate download links for malicious ones.
  2. Tools affected included HWMonitor and CPU-Z — users reported installers with unexpected names and antivirus alerts.
  3. The malware used a fake CRYPTBASE.dll and relied on PowerShell and in-memory techniques to fetch and run further payloads.
  4. Analysis indicates the threat attempts to compile a .NET payload on the victim, inject into other processes, and steal browser-stored credentials.
  5. CPUID says original signed files and the build process were not altered; the vulnerability lay in the downloads-serving layer and has been fixed.
  6. Indicators show overlap with infrastructure from previous campaigns (for example, an attack on FileZilla users), suggesting a wider playbook rather than a one-off.

Context and relevance

This incident highlights a growing trend: attackers targeting distribution and delivery mechanisms rather than the software build itself. Supply-chain risk now includes not just code repositories and CI pipelines but also APIs, CDN/back-end components and download pages. For organisations and home users alike, this underlines the importance of verifying downloads, using checksums/signatures where provided, and monitoring for unusual installer names or AV flags.

For security teams it’s a reminder to add distribution endpoints into threat models and incident playbooks — patching the build pipeline is not enough if the delivery layer can be tampered with.

Why should I read this?

Short version: if you grabbed HWMonitor/CPU-Z from CPUID during the six-hour window, you might have installed a credential‑stealer. Check your downloads, run a scan, and if you installed anything then change passwords and review browser-stored credentials. This is exactly the sort of sneaky distribution trick attackers love — quick to pull off, wide in potential impact. Read the details so you know what to check and what to tell users.

Practical takeaways

1) Re‑download installers from the site and verify signatures/checksums where available.

2) Run up‑to‑date AV/EDR scans if you accessed CPUID downloads on 9–10 April 2026.

3) If you installed affected software during the window, change passwords and review stored browser credentials and sessions.

4) For teams: include delivery APIs and download infrastructure in your threat modelling and monitoring.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/04/10/cpuid_site_hijacked/