Supply Chain Sabotage: Popular PC Tools CPU-Z and HWMonitor Hijacked to Distribute Malware

In a sophisticated six-hour window of compromise, the official CPUID website was hijacked to serve malicious payloads to thousands of enthusiasts and IT professionals downloading system monitoring utilities.

PARIS, FRANCE — The cybersecurity community is on high alert after CPUID, the developer of the ubiquitous system-profiling tools CPU-Z and HWMonitor, fell victim to a supply-chain style attack. For approximately six hours on April 10, the official download links for these tools were surreptitiously redirected to external servers hosting malware-laden installers.

The breach is particularly significant due to the high level of trust users place in CPUID's software. CPU-Z is considered a standard utility for hardware enthusiasts, overclockers, and IT technicians worldwide. By compromising the source, attackers bypassed the traditional "skepticism" users apply to third-party download sites.

The Six-Hour Window of Infection

The attack was first flagged by members of the hardware community on forums like Level1Techs and Reddit, who noticed that the downloaded .exe files were significantly larger than usual and failed signature verification checks.

Investigation revealed that attackers gained unauthorized access to the CPUID web server, likely through a vulnerability in the site’s content management system or compromised administrative credentials. Once inside, they modified the download buttons to point to a remote IP address. The malicious versions of CPU-Z and HWMonitor were "bundled" with a sophisticated infostealer designed to exfiltrate browser cookies, saved passwords, and cryptocurrency wallet data.

Technical Signature: What to Look For

Security researchers noted that the malicious files were signed with a fraudulent certificate to mimic legitimacy. However, the hashes did not match the official releases documented by CPUID.

Key indicators of the compromise include:

• File Size Discrepancy: Malicious installers were nearly 15MB larger than the standard 2-3MB official versions.
• Signature Failures: Genuine CPUID software is signed by "CPUID" or "Franck Delattre." The malicious versions used various "no-name" or expired certificates.
• Unusual Network Activity: Post-installation, infected systems attempted to communicate with a command-and-control (C2) server located on a known malicious hosting block.

CPUID has since regained control of the site, purged the malicious scripts, and issued a statement urging anyone who downloaded software between 10:00 AM and 4:00 PM CET on April 10 to perform a clean system wipe or utilize an offline malware scanner.

The CyberSignal Analysis

Signal 01 — The Trust-as-a-Vector Attack

This is a classic "Trust-as-a-Vector" attack. Attackers are moving away from phishing emails and toward compromising the very tools that professionals use to check their systems. If the utility you use to verify your hardware is the thing infecting you, the traditional security perimeter has effectively dissolved.

Signal 02 — The Criticality of Hash Verification

For years, "checking the hash" has been a niche practice for Linux users. This event proves it must become a standard Security Operations procedure for everyone. Developers should not only host files but also publish SHA-256 hashes on a separate, hardened domain or social media platform to provide a "second point of truth" for users.

Sources