CPUID Website Compromised to Deliver Weaponized HWMonitor and CPU-Z Tools

Home Cyber Security CPUID Website Compromised to Deliver Weaponized HWMonitor and CPU-Z Tools The cpuid-dot-com website, home to widely used system utilities CPU-Z and HWMonitor, is at the center of an active supply chain security incident. Users downloading HWMonitor 1.63 or CPU-Z ZIPs since early April have reportedly received trojanized installers capable of dropping malicious DLLs, evading antivirus detection through in-memory execution, and establishing connections to attacker-controlled infrastructure. Cpu-z infection (Source: Virustotal) Community reports surfaced primarily on Reddit on April 10, 2026, describing a consistent and alarming pattern: users who clicked the official HWMonitor 1.63 download link on cpuid.com did not receive the expected file, hwmonitor_1.63.exe, but instead downloaded a file named HWiNFO_Monitor_Setup.exe. Website Compromised to Deliver Weaponized versions The discrepancy doesn’t appear accidental. The filename appears deliberately crafted to blend two trusted hardware monitoring brands — CPUID and HWMonitor, exploiting the habit users have of trusting familiar utility names over scrutinizing exact package filenames. Chris Titus, a tech content creator, reported on two compromised utilities: CPU-Z and HWMonitor. MR. TITUS TECH IS CORRECT. CPUID-DOT-COM IS INDEED DELIVERING MALWARE RIGHT NOW. AS I BEGAN POKING THIS WITH I STICK I DISCOVERED THIS IS NOT YOUR TYPICAL RUN-OF-THE-MILL MALWARE. THIS MALWARE IS DEEPLY TROJANIZED, DISTRIBUTES FROM A COMPROMISED DOMAIN (CPUID-DOT-COM), PERFORMS… HTTPS://T.CO/UBKXMG7LKV PIC.TWITTER.COM/JPLAMMPIJN — vx-underground (@vxunderground) April 10, 2026 Multiple users additionally reported Windows Defender alerts triggering on download, Russian-language dialog text appearing within the Inno Setup installer wrapper, and detection flags across multiple VirusTotal scanners. The malicious payload has been observed dropping cryptbase.dll, a DLL hijacking technique commonly used to gain persistent, stealthy execution. The multi-stage threat uses in-memory tricks to bypass conventional antivirus scanning, rendering filesystem-level detection unreliable. cryptbase infection (Source: Hybrid Analysis) What is confirmed is a compromised download environment. What remains forensically unresolved is the precise mechanism. The CPUID website itself presents a notable technical asymmetry: the setup installer and ZIP packages for HWMonitor 1.63 do not serve from the same infrastructure. The setup path routes through a dedicated download.cpuid.com subdomain, while the ZIP version links directly to a Cloudflare R2 object storage domain, a split infrastructure that could represent a manipulation point. The most plausible explanation currently is that a download path within the CPUID backend was redirected, replaced, or otherwise tampered with, not that the HWiNFO project itself was compromised. This distinction matters. HWiNFO’s official download page lists version 8.44 as the current stable release (published March 4, 2026), with consistent version history and multiple verified mirrors. An earlier Bitdefender detection of HWiNFO in January 2026 was confirmed as a false positive and subsequently withdrawn as a separate and unrelated event. Whether the CPUID incident stems from website defacement, a compromised backend object, server-side redirect manipulation, or a DNS hijack has not yet been publicly established. Treating suspicion as forensic certainty at this stage would be premature, but caution is absolutely warranted. Download links on cpuid-dot-com are currently returning 404 errors, suggesting the site operators have pulled affected files. CPUID has not issued a public statement as of publication time, though the company is reportedly investigating. Security researchers have dissected the installer samples and flagged them on VirusTotal as multi-stage threats. Recommended Actions Do not download anything from cpuid.com until the company issues a verified all-clear Scan your system immediately if you downloaded HWMonitor or CPU-Z after April 3, 2026 Check for cryptbase.dll in application directories as an indicator of compromise Switch to HWiNFO (hwinfo.com) as a safe, actively maintained alternative for hardware monitoring Verify file hashes against official sources before executing any system utility installer This incident is a sharp reminder that even the most routine diagnostic tools can become threat delivery vectors when the infrastructure behind them is targeted. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Trojanized OpenVSX Extension Spreads GlassWorm Across VS Code, Cursor, and Windsurf Cyber Security News Juniper Networks Default Password Vulnerability Let Attacker Take Full Control of the Device Cyber Security News DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026