Technology · · 7 min read

CPUID supply chain breach poisoned CPU-Z and HWMonitor downloads with RAT malware

A six-hour backend API compromise turned trusted hardware monitoring tools into malware delivery vectors, infecting 150+ users before detection.

B
based.technology
Technology

CPUID’s official download infrastructure was compromised for approximately six hours between April 9 and 10, redirecting users of CPU-Z and HWMonitor—hardware diagnostics tools with a combined 100 million downloads—to malicious payloads carrying STX RAT infostealer malware.

The attack affected more than 150 confirmed users across Brazil, Russia, and China, according to Kaspersky telemetry. Victims spanned retail, manufacturing, consulting, telecommunications, and agriculture sectors, though most infections hit individual users. The breach exposed a critical vulnerability in software supply chains: trusted download endpoints can be weaponised without compromising the signed binaries themselves.

Context

CPUID develops CPU-Z and HWMonitor, two of the most widely deployed hardware diagnostics tools in enterprise IT and enthusiast communities. CPU-Z provides real-time processor, motherboard, and memory specifications; HWMonitor tracks voltages, temperatures, and fan speeds. Both are considered essential utilities for system administrators, technicians, and overclockers.

How the attack worked

Threat actors compromised a backend API—what CPUID founder Samuel Demeulemeester described as a “secondary feature”—causing download links on cpuid.com to randomly redirect to malicious URLs hosted on Cloudflare R2 storage. The legitimate signed executables remained untouched, per BleepingComputer.

The poisoned downloads masqueraded as HWiNFO_Monitor_Setup.exe, a 64-bit HWMonitor 1.63 installer. Once executed, the Malware deployed a five-stage in-memory loading chain involving DLL search order hijacking via CRYPTBASE.dll, XOR decryption, reflective PE loading, and DNS-over-HTTPS command-and-control communication, according to technical analysis from Cyderes. The final payload targeted Google Chrome credentials and established persistence through MSBuild.

9 Apr 2026, 15:00 UTC
Backend API compromise begins
CPUID download links start redirecting to malicious Cloudflare R2-hosted payloads
9 Apr 2026, evening
Community detection
Reddit users flag HWMonitor update redirecting to Russian-language installer; Windows Defender detections confirm malware
10 Apr 2026, 10:00 UTC
Breach contained
CPUID identifies and remediates compromised API; malicious redirects cease
10-12 Apr 2026
Incident disclosure and analysis
CPUID publishes timeline; security firms release technical breakdowns and IOCs

Affected versions included CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, and PerfMonitor 2.04. Users who downloaded these tools during the six-hour window received STX RAT instead of—or bundled with—the expected utilities.

Detection came from sloppy tradecraft

The attackers’ operational security failures enabled rapid containment. They reused the same C2 infrastructure and infection chain from a March 2026 campaign targeting FileZilla users, allowing security researchers to immediately recognise the threat signature. According to Kaspersky researchers, “The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack.”

“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”

— vx-underground security researcher

Community-driven detection also played a role. Users on Reddit and GitHub flagged unexpected installer behaviour—including Russian-language prompts and filename mismatches—before CPUID confirmed the breach. The ScoopInstaller project documented hash verification failures in real time, creating a public audit trail that preceded official disclosure.

Why API compromise defeats traditional security

The CPUID incident exposes a fundamental weakness in download security models: even when binaries are properly signed, backend infrastructure can redirect users to malicious payloads. CPUID’s signed executables were never compromised, yet attackers achieved the same outcome by controlling the delivery mechanism.

Attack surface metrics
Compromise duration6 hours
Confirmed infections150+
Malware stages5
Affected software versions4

This attack vector bypasses code signing, supply chain audits, and repository integrity checks—security controls that assume the threat originates in the build process. Instead, attackers exploited what The Register characterised as a “side API,” a less-scrutinised component of CPUID’s download infrastructure. The result: users performing routine software updates became infection vectors through no fault of their own verification practices.

The attack coincided with the Easter holiday, potentially delaying detection and response. “Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours,” Demeulemeester stated, adding that “our signed original files were not compromised.”

Enterprise implications and remediation

For organisations that deployed affected versions during the compromise window, the threat extends beyond immediate credential theft. STX RAT’s in-memory execution and MSBuild persistence mechanisms can survive reboots and evade signature-based detection, according to Cyderes forensic analysis. The malware employs anti-sandbox techniques including VM detection and delayed execution, complicating automated response.

Remediation steps
  • Verify installed versions against CPUID’s published SHA-256 hashes for legitimate releases
  • Search for CRYPTBASE.dll in application directories (legitimate Windows component should only exist in System32)
  • Monitor for MSBuild.exe network activity outside build environments
  • Reset credentials for any browser profiles accessed on potentially compromised systems
  • Review DNS query logs for DNS-over-HTTPS traffic to unexpected resolvers

CPUID has published known-good file hashes and advised users who downloaded software between April 9 and 10 to re-verify installations. The company fixed the compromised API within hours of detection, but the incident validates growing calls for hash verification workflows and out-of-band download confirmation—security measures rarely implemented in consumer software distribution.

What to watch

This marks the third high-profile open-source or freeware supply chain compromise in 2026, following the FileZilla campaign in March and earlier incidents affecting JavaScript package repositories. The pattern suggests attackers are systematically targeting trusted download infrastructure rather than attempting costlier build-system intrusions.

Expect accelerated adoption of Software Bill of Materials (SBOM) requirements and hash-verification mandates in enterprise procurement policies. The ease with which a six-hour API compromise infected 150+ users—despite code signing and reputation—demonstrates that current download security models are structurally inadequate. Organisations relying on third-party utilities for system administration now face a choice: implement zero-trust download verification or accept supply chain risk as operational overhead.

For CPUID, the incident will likely drive infrastructure hardening and API access controls. For the broader software ecosystem, it’s another data point in the case for treating every download as potentially hostile—even from domains that have been trusted for decades.

Sources
Kaspersky Securelist
Cyderes Howler Cell
BleepingComputer
The Hacker News
The Register
GitHub - ScoopInstaller
CPUID Enterprise Security Malware STX RAT Supply Chain Security Zero Trust
The Wire Daily

Get the day’s most important stories in technology, geopolitics, and macroeconomics — delivered every morning.

Subscribe Free →