Users attempting to download HWMonitor and CPU-Z from the official CPUID website are reportedly being served malware-laced installers, in what appears to be an active compromise of the vendor’s distribution infrastructure.
CPUID, the developer behind HWMonitor and CPU-Z, is a French software company known for producing lightweight system profiling and monitoring tools widely used by enthusiasts, IT professionals, and OEMs. CPU-Z alone has tens of millions of users globally.
The issue first surfaced through user reports on Reddit, where a user attempting to update HWMonitor to version 1.63 was redirected from the official CPUID website to a suspicious download hosting a file named HWiNFO_Monitor_Setup.exe. The anomaly was immediately notable, as HWiNFO is an entirely separate hardware monitoring tool developed by a different vendor. Upon execution, the installer reportedly launched a Russian-language setup interface, prompting the user to abort the installation.
Further investigation by community members revealed that the download link embedded on CPUID’s official HWMonitor page redirected to an external domain hosted on Cloudflare R2 storage, rather than CPUID’s standard infrastructure. This domain served a trojanized installer wrapped in a modified Inno Setup package, a technique frequently used to obfuscate malicious payloads and hinder static analysis. In contrast, legitimate HWMonitor installers use standard, easily extractable Inno Setup configurations.
Security researchers and technically inclined users analyzing the sample via VirusTotal and sandbox environments confirmed malicious behavior. Clean versions of HWMonitor, such as 1.61 and even a directly accessible 1.63 binary via manually constructed URLs, did not exhibit the same indicators, suggesting the compromise may be limited to specific download paths or dynamically served payloads.
Additional reports indicate that CPU-Z downloads may also be affected by the same infrastructure compromise. Some users observed antivirus detections when downloading CPU-Z installers, while others reported system instability and infection symptoms consistent with malware execution. One user claimed that installing CPU-Z from the official site resulted in a severely corrupted Windows installation.
Independent analysis by VX-Underground corroborates these findings, confirming that cpuid.com was actively distributing malware at the time of investigation. According to their report, the payload is not a typical commodity threat but a sophisticated, multi-stage implant designed for stealth and persistence. The malware reportedly operates largely in memory, reducing forensic artifacts on disk, and employs advanced evasion techniques, including proxying Windows NTDLL functions through a .NET assembly to bypass endpoint detection and response (EDR) systems.
The researchers also identified command-and-control (C2) infrastructure linked to a known threat group that had previously been observed distributing trojanized versions of FileZilla in March 2026.
At the time of writing, it remains unclear how the attackers gained access to CPUID’s infrastructure or whether the breach has been fully contained. The software publisher has not issued an official statement about the incident yet, and the website is currently offline.
Leave a Reply