Hardware Warning: How CPU-Z and HWMonitor Official Downloads Became Trojan Traps

The routine acquisition of CPU-Z or HWMonitor has abruptly transformed into a vector for trojan distribution. Researchers from Cyderes, Breakglass, and Kaspersky report that adversaries compromised the official links on the CPUID website, diverting visitors toward infected archives and installers. According to Kaspersky, this substitution occurred between 15:00 UTC on April 9 and 10:00 UTC on April 10, compromising CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, and PerfMonitor 2.04. Breakglass, however, posits a broader window of activity, spanning from April 3 to April 10.

The architecture of the assault was particularly insidious due to its mimicry of legitimate downloads. Within the malicious packages resided a signed executable of the requested utility alongside a deceptive CRYPTBASE.dll library. Upon execution, Windows would inadvertently load the rogue library, triggering a multi-stage, fileless loading sequence that culminated in the deployment of STX RAT—a remote access trojan engineered for data exfiltration. Cyderes specifically noted that for HWMonitor, the 64-bit build was found to be vulnerable.

This incident is especially distressing given the specialized demographic of CPUID users. CPU-Z and HWMonitor have long served as the gold standard for hardware diagnostics among system administrators, engineers, and PC enthusiasts. For attackers, such a target pool is invaluable, as professional workstations and corporate laptops frequently harbor sensitive credentials, session cookies, cryptographic keys, and access to VPNs or internal infrastructures. Kaspersky has already identified over 150 victims; while the majority are individual users, the casualties include organizations within the retail, manufacturing, consulting, telecommunications, and agricultural sectors.

Further unsettling is the connection to prior incursions. Breakglass and Kaspersky concluded that the perpetrators repurposed infrastructure and infection chain elements from a March campaign involving a fraudulent FileZilla installer. The reports highlight an identical DLL sideloading methodology, the same command-and-control addresses, and the domain welcome.supp0v3[.]com. Breakglass further links this activity to samples dating back to at least July 2025, suggesting this is not an isolated escapade but a sustained operation utilizing a refined toolkit.

The solitary reprieve is that as of April 10, the downloads on cpuid.com have been purged of infection. However, the broader implication remains grave: this attack demonstrates the peril inherent in even the most conventional software acquisitions from official repositories. When the distribution channel itself is subverted, the user perceives only a familiar utility while unwittingly granting a foothold for espionage and credential theft.