Malware found in 'CPU-Z' and 'HWMonitor,' distribution site CPUID reports being hacked.



CPUID, a company that distributes software for benchmarking and monitoring Windows and Android devices, has been hacked, and malware was found to have been embedded in its CPU-Z software, which retrieves and displays CPU information on devices, and HWMonitor, which monitors hardware. CPUID has acknowledged that the breach lasted for approximately six hours, but has reported that the issue has been fixed.

CPUID hacked to deliver malware via CPU-Z, HWMonitor downloads

https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/

HWMonitor and CPU-Z developer CPUID breached by unknown attackers — cyberattack forced users to download malware instead of valid apps for six hours | Tom's Hardware
https://www.tomshardware.com/tech-industry/cyber-security/hwmonitor-and-cpu-z-developer-cpuid-breached-by-unknown-attackers-cyberattack-forced-users-to-download-malware-instead-of-valid-apps-for-approximately-six-hours

Security PSA: Popular Tools CPU-Z and HWMonitor Were Briefly Compromised | TechPowerUp
https://www.techpowerup.com/348138/security-psa-popular-tools-cpu-z-and-hwmonitor-were-briefly-compromised

The first person to point out this problem appears to be engineer Chris Titus. Although he mistakenly names the software in his post, he is reporting that software distributed by CPUID is infected with malware. ' HWInfo (HWiNFO) ' is hardware information acquisition software and is not distributed by CPUID.



Titus shows the scan results for 'cpu-z_2.19-en.zip' from the malware scanning service HYBRID ANALYSIS.

Free Automated Malware Analysis Service - powered by Falcon Sandbox
https://hybrid-analysis.com/sample/eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46



According to this information, among the included files, the executable files 'cpuz_x64.exe' and 'cpuz_x32.exe' are suspected of being infected, and 'CRYPTBASE.dll' has been confirmed to be infected.



VX UNDERGROUND, which provides a repository of malware files, has pointed out, in addition to Titus's information, that the malware being distributed is not commonplace malware, but a Trojan horse with means to evade EDR (Endpoint Detection and Response) and antivirus mechanisms. Based on the domains included in the binaries, the attackers are the same group that impersonated FileZilla in March 2026.



According to VX UNDERGROUND, the ultimate goal of this malware is to steal data, primarily browser credentials, and they 'have seriously worked on countermeasures and made some smart decisions during payload development.' Although it has some shortcomings, such as failing to implement emulation countermeasures and reusing the same C2 server used in the FileZilla incident to remotely control infected devices, it is still a fairly good piece of malware and has been rated 'B-'.



Samuel Dumelmeester of CPUID issued a statement saying, 'While the investigation is ongoing, it appears that a sub-function (basically the side API) was compromised for approximately six hours between April 9th and 10th, resulting in malicious links being randomly displayed on the main website (signed original files were not compromised). The compromise has been detected and corrected. We apologize for any inconvenience caused. We have done our best to resolve the issue.'



Related Posts:

in Software,   Security, Posted by logc_nt