CPU-Z and HWMonitor compromised

The website for CPUID, creators of popular system utilities like CPU-Z and HWMonitor, suffered a supply-chain attack. For approximately six hours, attackers compromised a backend API, redirecting users attempting to download these tools to malicious installers. This incident highlights a shift in attack vectors, moving beyond traditional software tampering to subverting trusted distribution channels.

• Attackers hijacked a secondary API on the CPUID website, causing legitimate download links for HWMonitor and CPU-Z to point to malicious files.
• The compromise occurred between April 9th and 10th for roughly six hours, with CPUID confirming the breach and stating their signed original software binaries were not directly affected.
• The malicious installer, specifically targeting 64-bit HWMonitor users, deployed a fake CRYPTBASE.dll. This DLL connected to a command-and-control server to fetch additional payloads.
• The malware operated largely in memory using PowerShell, compiled and injected .NET payloads into other processes, and was designed to steal browser data, including stored credentials from Google Chrome.
• Analysis suggests this attack is linked to the same threat group behind a recent FileZilla compromise, indicating a pattern of targeting trusted utilities and their distribution infrastructure.
• CPUID has since fixed the vulnerability, but details on how the API was compromised or the full extent of affected users remain undisclosed.

This incident serves as a stark reminder that even well-established software providers are susceptible to sophisticated supply-chain attacks that bypass the integrity of the software itself, instead targeting the delivery mechanism. Users are urged to exercise extreme caution when downloading software, even from official sources, and to consider the benefits of validated package managers.