CPUID Website Hacked: Weaponized HWMonitor & Compromised Deliver

The cpuid.com website, host to popular system utilities CPU-Z and HWMonitor, is at the center of an active supply chain security incident.

Users downloading HWMonitor 1.63 or CPU-Z ZIPs since early April have reportedly received trojanized installers capable of dropping malicious DLLs, evading antivirus detection through in-memory execution, and establishing connections to attacker-controlled infrastructure.

Community reports surfaced primarily on Reddit on April 10, 2026, describing a consistent and alarming pattern: users who clicked the official HWMonitor 1.63 download link on cpuid.com did not receive the expected file, hwmonitor_1.63.exe, but instead downloaded a file named HWiNFO_Monitor_Setup.exe.

Website Compromised to Deliver Weaponized versions

The discrepancy doesn’t appear accidental. The filename appears deliberately crafted to blend two trusted hardware monitoring brands — CPUID and HWiNFO exploiting the habit users have of trusting familiar utility names over scrutinizing exact package filenames.

Multiple users additionally reported Windows Defender alerts triggering on download, Russian-language dialog text appearing within the Inno Setup installer wrapper, and detection flags across multiple VirusTotal scanners.

The malicious payload has been observed dropping cryptbase.dll, a DLL hijacking technique commonly used to gain persistent, stealthy execution. The multi-stage threat uses in-memory tricks to bypass conventional antivirus scanning, making detection at the filesystem level unreliable.

What is confirmed is a compromised download environment. What remains forensically unresolved is the precise mechanism. The CPUID website itself presents a notable technical asymmetry: the setup installer and ZIP packages for HWMonitor 1.63 do not serve from the same infrastructure.

The setup path routes through a dedicated download.cpuid.com subdomain, while the ZIP version links directly to a Cloudflare R2 object storage domain, a split infrastructure that could represent a manipulation point.

The most plausible explanation currently is that a download path within the CPUID backend was redirected, replaced, or otherwise tampered with not that the HWiNFO project itself was compromised.

This distinction matters. HWiNFO’s official download page lists version 8.44 as the current stable release (published March 4, 2026), with consistent version history and multiple verified mirrors. An earlier Bitdefender detection of HWiNFO in January 2026 was confirmed as a false positive and subsequently withdrawn as a separate and unrelated event.

Whether the CPUID incident stems from website defacement, a compromised backend object, server-side redirect manipulation, or a DNS hijack has not yet been publicly established. Treating suspicion as forensic certainty at this stage would be premature but caution is absolutely warranted.

Download links on cpuid.com are currently returning 404 errors, suggesting the site operators have pulled affected files. CPUID has not issued a public statement as of publication time, though the company is reportedly investigating. Security researchers have dissected the installer samples and flagged them on VirusTotal as multi-stage threats.

Recommended Actions

• Do not download anything from cpuid.com until the company issues a verified all-clear
• Scan your system immediately if you downloaded HWMonitor or CPU-Z after April 3, 2026
• Check for cryptbase.dll in application directories as an indicator of compromise
• Switch to HWiNFO (hwinfo.com) as a safe, actively maintained alternative for hardware monitoring
• Verify file hashes against official sources before executing any system utility installer

This incident is a sharp reminder that even the most routine diagnostic tools can become threat delivery vectors when the infrastructure behind them is targeted.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.