CPUID API Compromised, Distributing Malware via CPU-Z and HWMonitor Downloads

Hackers recently infiltrated an API linked to the CPUID project, leading to a significant security breach. The cybercriminals altered the download links on the official website, resulting in the distribution of malicious executables for the popular system monitoring tools CPU-Z and HWMonitor.

Both CPU-Z and HWMonitor are widely used by millions of users for monitoring the health of internal computer hardware and obtaining detailed system specifications.

Reports surfaced on Reddit indicating that users who downloaded these tools found themselves redirected to the Cloudflare R2 storage service, where a trojanized version of HWiNFO, another diagnostic and monitoring tool, was being served.

The malicious file, named HWiNFO_Monitor_Setup, initiates a Russian installer with an Inno Setup wrapper upon execution, displaying highly suspicious behavior.

Although users could still access the clean hwmonitor_1.63.exe directly, it was evident that the distribution links had been compromised.

Further investigations by Igor’s Labs and @vxunderground revealed the involvement of a sophisticated loader utilizing advanced techniques, tactics, and procedures (TTPs).

According to vxunderground, the malware involved in this incident is highly sophisticated, utilizing methods such as file masquerading, multi-staging, in-memory operation, and evasion of EDRs and AVs.

The researcher noted similarities between this attack and a previous one targeting users of the FileZilla FTP solution, suggesting a focus on widely used utilities.

Analysis on VirusTotal flagged the downloaded ZIP by 20 antivirus engines, with classifications varying between Tedy Trojan and Artemis Trojan. Some researchers identified the fake HWiNFO variant as an infostealer malware.

CPUID responded to the incident, stating that a secondary API was compromised for approximately six hours between April 9 and April 10, leading to the display of malicious links on the main website. The original files remained intact, and the breach has since been rectified.

Kaspersky researchers confirmed the compromise timeline, highlighting that malicious versions of several CPUID software were distributed during the attack. The modified variants included a legitimate executable alongside a malicious DLL named ‘CRYPTBASE.dll’ for DLL sideloading.

Kaspersky identified the final payload as STX RAT, an infostealer malware with advanced capabilities, detected by YARA rules from eSentire.

Notably, over 150 users, including organizations in various sectors, fell victim to the malicious downloads. Kaspersky provided indicators of compromise for the malicious files and URLs involved in the attack.

Following the incident, CPUID has taken necessary measures to ensure the distribution of clean versions for CPU-Z and HWMonitor.

UPDATE [April 11]: Information from Kaspersky regarding the incident has been incorporated into this article.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now