Hackers accessed a secondary API on the CPUID website between April 9 at 15:00 UTC and April 10 at around 10:00 UTC. During this time, the site served malicious download links instead of legitimate installers for several popular hardware monitoring utilities. CPUID has confirmed the breach and says the compromised API has been fixed. They are now serving clean versions of all affected tools.
Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor during the six-hour period may have received tampered versions. However, CPUID’s original signed binaries were not altered.
What Malware Was Delivered Through the CPUID Downloads
The malicious downloads were funneled through Cloudflare R2 storage and delivered a fake HWiNFO installer named HWiNFO_Monitor_Setup, packaged with a Russian Inno Setup wrapper. According to Kaspersky’s analysis, the trojanized versions included a legitimately signed executable along with a malicious DLL called CRYPTBASE.dll, which was used for DLL sideloading.
The malicious DLL performed anti-sandbox checks before connecting to a command-and-control server and executing a final payload identified as STX RAT. This remote access trojan has infostealer capabilities and has been documented by researchers at eSentire. The malware operated almost entirely in memory and used techniques to evade endpoint detection and antivirus software.
The four affected software versions were:
- CPU-Z version 2.19
- HWMonitor Pro version 1.57
- HWMonitor version 1.63
- PerfMonitor version 2.04.
Scope of the CPUID Malware Impact
Kaspersky estimates that over 150 users downloaded a malicious variant during the timeframe. Among the victims were individuals and organizations in retail, manufacturing, consulting, telecommunications, and agriculture, mainly in Brazil, Russia, and China.
The ZIP file involved is detected by 20 antivirus engines on VirusTotal, with some identifying it as Tedy Trojan and others as Artemis Trojan.
Researchers at vxunderground and Igor’s Labs independently verified the compromised download chain. vxunderground pointed out that the malware uses the same command-and-control address observed in a March campaign that involved a fake FileZilla site used to deliver malicious downloads. This suggests that the same threat actor may be responsible for both incidents.
What Affected CPUID Users Should Do Now
Users who downloaded any of the four affected tools between April 9 at 15:00 UTC and April 10 at approximately 10:00 UTC should consider their installation potentially compromised. Kaspersky has published indicators of compromise that include malicious files, DLLs, and URLs associated with the attack.
CPUID states that its original signed binaries were not modified and that the direct download URLs for the legitimate files remained unchanged during the incident. Currently, downloads from the CPUID website are confirmed to be safe.
