Hackers accessed a secondary API in the CPU ID website between April 9 at 15:00 UTC and April 10 around 10:00 UTC. During this time, the site offered malicious download links instead of legitimate installers for several popular hardware monitoring utilities. CPUID confirmed the breach and says the compromised API has been fixed. They now offer clean versions of all affected tools.
Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro or PerfMonitor during the six-hour period may have received manipulated versions. However, the original signed CPUID binaries were not altered.
What malware was delivered via CPUID downloads
The malicious downloads were channeled through cloudflare r2 storage and delivered a fake HWiNFO installer called HWiNFO_Monitor_Setup, packaged with a Russian Inno Setup wrapper. According to Kaspersky’s analysis, the trojanized versions included a legitimately signed executable along with a malicious DLL called CRYPTBASE.dll, which was used for DLL downloading.
The malicious DLL performed anti-sandbox checks before connecting to a command and control server and executing a final payload identified as STX RAT. This remote access Trojan has information stealing capabilities and has been documented by eSentire researchers. The malware operated almost entirely in memory and used techniques to evade endpoint detection and antivirus software.
The four software versions affected were:
- CPU-Z version 2.19
- HWMonitor Pro version 1.57
- HWMonitor version 1.63
- PerfMonitor version 2.04.
Scope of impact of CPUID malware
Kaspersky estimates that more than 150 users downloaded a malicious variant during the time period. Victims included individuals and organizations in the retail, manufacturing, consulting, telecommunications and agricultural sectors, primarily in Brazil, Russia and China.
The ZIP file involved is detected by 20 antivirus engines on VirusTotal, some identifying it as Tedy Trojan and others as Artemis Trojan.
Researchers at vxunderground and Igor’s Labs independently verified the compromised download chain. vxunderground noted that the malware uses the same command and control address seen in a March campaign involving a fake FileZilla site used to deliver malicious downloads. This suggests that the same threat actor may be responsible for both incidents.
What Affected CPUID Users Should Do Now
Users who downloaded any of the four affected tools between April 9 at 15:00 UTC and April 10 at approximately 10:00 UTC should consider their installation potentially compromised. Kaspersky has published indicators of compromise that include malicious files, DLLs, and URLs associated with the attack.
CPUID claims that its original signed binaries were not modified and that the direct download URLs of the legitimate files remained unchanged during the incident. Downloads from the CPUID website are currently confirmed to be safe.
