CPUID Website Compromised to Deliver Malware via HWMonitor and CPU-Z
Key Takeaways The official cpuid.com website, hosting popular utilities like HWMonitor and CPU-Z, was compromised to deliver malware. Users downloading HWMonitor 1.63 or CPU-Z ZIPs since early April...
Key Takeaways
- The official cpuid.com website, hosting popular utilities like HWMonitor and CPU-Z, was compromised to deliver malware.
- Users downloading HWMonitor 1.63 or CPU-Z ZIPs since early April 2026 may have received trojanized installers.
- The malicious payload employs DLL hijacking and in-memory execution to evade antivirus detection and establish attacker communications.
- CPUID has not issued a public statement, but affected download links are now returning 404 errors, indicating the files have been removed.
The cpuid.com website, a trusted source for system diagnostic tools such as CPU-Z and HWMonitor, has been implicated in an ongoing supply chain attack. Reports indicate that users attempting to download specific versions of these utilities have instead received malicious installers.
Table Of Content
Since early April 2026, individuals downloading HWMonitor 1.63 or CPU-Z ZIP packages from the official site have been served trojanized files. These installers are designed to deploy malicious DLLs, execute code in memory to bypass traditional antivirus scans, and establish covert connections to attacker-controlled infrastructure.
Website Compromised to Deliver Weaponized Versions
The compromise first came to light through community reports on Reddit on April 10, 2026. Users consistently reported that clicking the official HWMonitor 1.63 download link on cpuid.com did not yield the expected hwmonitor_1.63.exe file. Instead, they received a file named HWiNFO_Monitor_Setup.exe.
This filename appears to be a deliberate attempt to mislead users by combining elements of CPUID and HWiNFO, two reputable hardware monitoring brands. This tactic exploits users’ familiarity with trusted names, leading them to overlook discrepancies in the exact package filename.
Further evidence of compromise emerged as users reported Windows Defender alerts upon download, the appearance of Russian-language text within the Inno Setup installer wrapper, and multiple flags from various VirusTotal scanners.
Security researchers, including vx-underground, confirmed the active delivery of malware, describing it as “deeply trojanized” and distributed from the compromised cpuid.com domain.
The malicious payload has been observed dropping cryptbase.dll, a common technique for DLL hijacking that facilitates persistent and stealthy execution. The multi-stage threat leverages in-memory execution to bypass conventional antivirus scanning, rendering file-system level detection ineffective.
While a compromised download environment is confirmed, the exact mechanism of the breach remains under investigation. A notable technical asymmetry exists within the CPUID website’s infrastructure: the setup installer and ZIP packages for HWMonitor 1.63 are not served from the same sources. The setup path routes through download.cpuid.com, a dedicated subdomain, while the ZIP version links directly to a Cloudflare R2 object storage domain. This split infrastructure could represent a potential point of manipulation.
The most probable explanation at this juncture is that a download path within CPUID’s backend was redirected, replaced, or tampered with. It is crucial to distinguish this from a potential compromise of the HWiNFO project itself. HWiNFO’s official download page, hwinfo.com, lists version 8.44 (published March 4, 2026) as its current stable release, with a consistent version history and verified mirrors. An earlier Bitdefender detection of HWiNFO in January 2026 was identified as a false positive and is unrelated to the current incident.
The precise nature of the CPUID incident—whether it involves website defacement, a compromised backend object, server-side redirect manipulation, or a DNS hijack—has not yet been publicly confirmed. While forensic certainty is still pending, caution is strongly advised.
As of this report, download links on cpuid.com are returning 404 errors, suggesting that the site operators have removed the compromised files. CPUID has not yet issued a public statement, though the company is reportedly investigating the matter. Security researchers have analyzed the installer samples and flagged them on VirusTotal as multi-stage threats.
What You Should Do
- Refrain from downloading anything from cpuid.com until the company issues an official “all-clear” and confirms the integrity of its downloads.
- Immediately scan your system if you downloaded HWMonitor or CPU-Z from cpuid.com after April 3, 2026. Use a reputable antivirus solution with up-to-date definitions.
- Check for the presence of
cryptbase.dllin unexpected application directories as a potential indicator of compromise. - Consider switching to HWiNFO (hwinfo.com) as a safe and actively maintained alternative for hardware monitoring, ensuring downloads are from its official site.
- Always verify file hashes against official vendor sources before executing any system utility installer to ensure its authenticity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.