• April 9-10, 2026: Attackers compromised a “side API” on CPUID’s backend
• For ~6 hours, the official download page randomly served malicious links instead of real ones
• The fake file was called HWiNFO_Monitor_Setup.exe — note the name mashup with competitor HWiNFO
• It launched a Russian-language Inno Setup installer (dead giveaway)
• Windows Defender caught it immediately for some users. Others weren’t so lucky.
• CPUID’s actual signed binaries were never tampered with — the links were just pointed elsewhere

Here’s the attack chain according to vx-underground’s analysis:

1. User clicks download on cpuid.com → gets redirected to supp0v3[.]com
2. Fake installer drops CRYPTBASE.dll alongside legitimate-looking files (DLL hijacking)
3. The DLL phones home to a C2 server for additional payloads
4. Uses PowerShell to run almost entirely in memory — minimal disk footprint
5. Downloads and compiles a .NET payload on the victim’s machine
6. Injects into other processes to stay hidden
7. Primary target: Chrome’s IElevation COM interface → dumps and decrypts saved passwords

vx-underground’s verdict: “This is not your typical run-of-the-mill malware. This malware is deeply trojanized, multi-staged, operates almost entirely in-memory, and uses some interesting methods to evade EDRs.”

• The C2 domain supp0v3[.]com was previously used in a FileZilla malware campaign in early March 2026
• Same threat group, different target. They’re working their way through popular utility software.
• The attackers specifically waited until CPUID founder Franck Delattre was on leave to strike
• Pattern → target small dev teams, hit when the one person who’d notice is away

Two Reddit users — DMkiIIer and OthoAi5657 — spotted the weird file names and posted about it. Then vx-underground confirmed on X with a full technical breakdown.

One Reddit user wrote: “After the download, my Windows Defender instantly detects a virus.” Others weren’t so lucky — if you had Defender disabled or were running a weaker AV, the installer ran clean.

CPUID’s response: “A secondary feature (basically a side API) was compromised for approximately six hours… our signed original files were not compromised.”

Reddit’s take: “So the files were fine but the download button was serving someone else’s files? That’s somehow worse.”

This wasn’t a sophisticated zero-day. It was a link swap. That’s it.

• CPUID is a one-man operation essentially. Franck Delattre writes the code. There’s no 24/7 SOC watching the infrastructure.
• Thousands of small utility software sites run the same way → one backend, one developer, minimal monitoring
• The attackers are moving through a hitlist: FileZilla in March, CPUID in April. Who’s next? WinRAR? PuTTY? 7-Zip?
• If you download tools from small developer sites, you’re trusting their entire infrastructure on blind faith

If you downloaded anything from cpuid.com between April 3-10, 2026, assume compromise until proven otherwise.

Here’s what you do: Search your Downloads folder for HWiNFO_Monitor_Setup.exe. Check for CRYPTBASE.dll sitting in application directories where it shouldn’t be. Upload any suspicious files to VirusTotal. If you find anything → assume your Chrome passwords are gone. Rotate everything.

Example: A sysadmin in Poland downloaded HWMonitor to check temps on a client’s workstation during the window. Found the fake DLL in %AppData%. Had to rotate credentials for 40+ client accounts.

Timeline: 15 minutes to scan, potentially days to rotate all credentials if compromised

The angle here: stop downloading utilities from websites every time you need them. Build a verified USB toolkit once, hash-check everything, and never touch a download page again.

Here’s what you do: Download CPU-Z, HWMonitor, HWiNFO, CrystalDiskInfo, and your other go-to tools. Verify SHA-256 hashes against the developer’s published values. Store them on a dedicated USB drive. Re-verify hashes every time before you use them. Tools like HashCheck or certutil -hashfile work fine.

Example: A freelance PC repair guy in the Philippines keeps a “golden USB” with 30+ verified utilities. He re-hashes quarterly. His competitors download fresh copies from the internet every time → one of them got hit by this exact attack and had to wipe a client machine.

Timeline: One afternoon to build the kit, saves you from every future supply chain attack on utility sites

Between you and me, every small business owner just heard “CPU-Z was serving malware” and panicked. Most of them have no idea if their IT guy downloaded something during that window.

Here’s what you do: Offer a one-time “supply chain audit” — scan their machines for known IOCs from this attack (the CRYPTBASE.dll, connections to supp0v3[.]com), check for compromised Chrome passwords, and hand them a report. Charge $150-300 per machine. Post the service on local Facebook groups and Google Business.

Example: A cybersecurity freelancer in Romania saw the FileZilla attack in March, built an automated scanner script for those IOCs, and had it ready when CPUID got hit. He charged local businesses €200/machine and cleared €3,400 in the first weekend.

Timeline: Build the scanner once, sell the service every time a new supply chain attack drops

Every time one of these supply chain attacks happens, the same question floods Reddit and Twitter: “Is it safe to download now?” Most people don’t know how to check.

Here’s what you do: Create a Telegram channel that monitors popular utility software sites, verifies current download hashes, and posts alerts when something’s off. Grow it organically by posting in local tech groups. Once you hit 5,000+ subscribers → sell sponsored posts from VPN companies and antivirus vendors. They pay $50-200 per post for channels with engaged security audiences.

Example: A guy in Turkey runs a “Güvenli İndirme” (Safe Download) channel with 12,000 subscribers. He posts hash verifications for popular tools weekly. Three VPN sponsors pay him a combined $400/month. He spends about 2 hours a week on it.

Timeline: 2-3 months to hit enough subscribers for sponsors, passive income after that

Every MSP (managed service provider) in the world needs a playbook for “what do we do when a vendor site gets compromised.” Most of them don’t have one.

Here’s what you do: Write a 10-15 page incident response template specifically for supply chain attacks on software download sites. Include: detection steps, IOC checklist template, client communication templates, remediation flowchart. Sell it on Gumroad for $29-49. Promote it on r/msp, r/sysadmin, and LinkedIn every time a new attack hits the news.

Example: A sysadmin in Brazil wrote an IR playbook after the SolarWinds mess, translated it to Portuguese and English, and sells it on Gumroad. He updates it every time a new supply chain attack makes headlines. He’s moved 800+ copies at R$150 (~$29) each.

Timeline: One weekend to write, then update and re-promote with every new incident