CPUID's Own Site Served Malware Instead of CPU-Z for 6 Hours — Nobody Noticed

:shield: CPUID’s Own Site Served Malware Instead of CPU-Z for 6 Hours — Nobody Noticed

The most trusted hardware tool site on the planet got turned into a drive-by malware shop. And they found out from Reddit.

For 6 hours on April 9-10, anyone who downloaded CPU-Z or HWMonitor from the official CPUID website got a remote access trojan called STX RAT instead. The attackers hijacked a backend API, swapped out download links, and hosted the fake files on Cloudflare R2 storage.

Look, if you’ve ever built a PC, overclocked a chip, or just wanted to check your temps — you’ve used CPU-Z or HWMonitor. Hundreds of millions of downloads. THE standard tools. And for a solid 6 hours, the official site was just… handing out malware. Not some shady mirror. The real deal. CPUID dot com.

CPU-Z Hijack


🧩 Dumb Mode Dictionary
Term What It Actually Means
CPU-Z / HWMonitor Free apps that tell you your computer’s temperature, speed, and hardware specs. Like a health checkup for your PC
STX RAT A remote access trojan — basically a backdoor that lets hackers control your computer from somewhere else
DLL Sideloading Sneaking a bad file next to a good file so the good one accidentally loads the bad one when it runs
Cloudflare R2 Cloud storage from Cloudflare. Cheap, fast, and in this case used by the attackers to host the fake downloads
C2 Server Command and Control — the hacker’s home base that the malware calls back to for instructions
Reflective PE Loading Running a program entirely in your computer’s memory so it never touches the hard drive (harder to detect)
Watering Hole Attack Poisoning a website that your target already trusts and visits regularly, instead of phishing them directly
🔍 How They Got In

Real talk: the attackers didn’t touch the actual CPU-Z or HWMonitor source code. The real files, the digital signatures, the build process — all untouched.

What they DID hit was a “side API” that CPUID uses to serve download links on the website. Think of it like this: the safe has the real goods, but someone hacked the directory sign that points you to the safe. You walk through the wrong door and grab a booby-trapped package instead.

  • The compromised API randomly replaced legit download links with malicious ones
  • Fake files were hosted on Cloudflare R2 storage (cheap, anonymous, hard to trace fast)
  • One giveaway: a download called “HWiNFO_Monitor_Setup.exe” — that’s not even the right product name
  • Window: April 9, 15:00 UTC to April 10, 10:00 UTC

CPUID’s founder Samuel Demeulemeester confirmed the breach on X and said investigations are ongoing.

🦠 What the Malware Actually Does

Kaspersky’s team broke it down and it’s a five-stage payload that runs entirely in memory. Here’s the chain:

  1. You run the fake installer — it looks legit, even has a signed executable inside
  2. A malicious DLL called CRYPTBASE.dll gets loaded alongside it (DLL sideloading)
  3. The DLL runs anti-sandbox checks (making sure it’s not being analyzed in a lab)
  4. Connects to a command-and-control server
  5. Drops the final payload: STX RAT — entirely in memory, using XOR decryption and layered bitwise transformations

The real target? Your browser data. Researchers saw it poking at Google Chrome’s IElevation COM interface — which is the key to pulling saved passwords, cookies, and autofill data out of Chrome.

So if you logged into your bank, your email, your crypto exchange through Chrome… yeah. That’s what they were after.

📊 The Receipts
What Details
Attack window 6 hours (April 9, 3pm UTC → April 10, 10am UTC)
Products affected CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor, PowerMAX
Malware delivered STX RAT (remote access trojan)
Delivery method DLL sideloading via fake installer
Hosting Cloudflare R2 storage
Primary target Browser credentials (Chrome specifically)
Attacker skill level Low (reused old infrastructure from a fake FileZilla campaign)
Who found it Reddit users + antivirus flags
Original files compromised? No — builds and signatures untouched
🗣️ What the Timeline's Saying
  • Security researchers called this a classic watering hole attack — poison the well everyone drinks from
  • Tom’s Hardware noted the irony: the attackers were dumb enough to reuse the same C2 domains and infection chain from their old FileZilla scam
  • Multiple researchers pointed out that if this had been a more skilled group, it could’ve gone undetected for weeks instead of hours
  • The file was literally named wrong (“HWiNFO” instead of “HWMonitor”) — that’s what tipped people off. Amateur hour
  • CPUID has ~200 million total downloads across its tools. Even 6 hours on a site that big means thousands of potential victims
💡 Why This Is Bigger Than One Bad Download

Look, this isn’t just about CPU-Z. This is the playbook repeating itself.

Remember the SolarWinds hack? Same idea, bigger scale. You don’t attack the user — you attack the thing the user trusts. Supply chain attacks are the move now because we’ve gotten better at spotting phishing emails but we STILL blindly trust “Download from the official site.”

The scary part? The attacker here was bad at their job. They reused old infrastructure. They named the file wrong. They got caught in 6 hours. Imagine what a competent crew does with the same access.

And here’s the kicker nobody’s talking about: CPUID is a one-dev project. Samuel Demeulemeester is basically solo. Most of the free tools the entire PC community relies on are built by tiny teams with zero security budget. That’s the real vulnerability.


Cool. A trusted download site went rogue for half a workday. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

Hardware Check

🔗 The Hash Verification Middleman

Real talk: 99% of people download software and just… run it. No hash check. No signature verification. Nothing. But after incidents like this, companies and IT departments are DESPERATE for a tool that automatically verifies downloads against known-good hashes before they touch a system.

The play: build a browser extension or lightweight proxy that intercepts every .exe/.msi download, checks the SHA-256 hash against a community-maintained database, and throws a red flag if it doesn’t match. Charge IT departments $3/seat/month. Free tier for individuals.

:brain: Example: A 24-year-old developer in Bucharest builds “HashGuard” as a Chrome extension. Submits it to ProductHunt the week after the CPUID incident. Gets picked up by 3 MSPs (managed IT companies) in the first month. 400 seats at $3/each = $1,200/month recurring before writing a single line of marketing copy.

:chart_increasing: Timeline: First paying customer in 2 weeks (IT managers are paranoid RIGHT NOW). Plateau at ~$5K/month unless you land enterprise contracts. Window is 3-4 months while supply chain attacks stay in the news cycle.

🕳️ The Watering Hole Watchdog

Here’s something wild: there’s no public service that continuously monitors popular download pages for link changes. Not the files — the LINKS. The exact attack vector CPUID got hit with.

Set up a scraper that checks the top 500 free software download pages every 15 minutes. Compare download URLs against a known-good baseline. The SECOND a link changes without a version bump? Alert. You now have a monitoring service that catches watering hole attacks faster than the site owners themselves.

Sell it to security teams as a threat intelligence feed. Or just build a free public dashboard and monetize with a “priority alerts” tier.

:brain: Example: A 2-person security team in Tallinn, Estonia sets up Uptime Kuma + custom Python scripts to monitor 200 download pages. They catch a similar link swap on a smaller tool site 3 weeks later. That one catch becomes their entire marketing case study. Lands them 15 enterprise subscribers at $200/month.

:chart_increasing: Timeline: Working prototype in 5 days (it’s just web scraping with diff checks). First real detection makes you credible overnight. Hits $3K/month in 8-10 weeks. Stays relevant as long as supply chain attacks keep happening (so… forever).

🎣 The Forensics-as-a-Service Flip

Thousands of people downloaded malware from CPUID and most of them have no idea. They don’t know if their browser passwords got stolen. They don’t know if STX RAT is still sitting in their memory. And most of them aren’t paying $300/hour for an incident response firm.

The flip: build a $19 “Am I Compromised?” scan specifically for this incident. A lightweight tool that checks for the specific IOCs (indicators of compromise) — the C2 domains, the CRYPTBASE.dll hash, the Chrome IElevation artifacts. Package the published Kaspersky IOCs into a dead-simple scanner. Sell it on Gumroad or your own landing page.

:brain: Example: A freelance malware analyst in Nairobi packages the known STX RAT indicators into a PowerShell script with a nice GUI wrapper. Posts it on Reddit’s r/techsupport and r/buildapc the day the story breaks. 600 sales at $19 in the first week = $11,400. Total development time: one weekend.

:chart_increasing: Timeline: Must ship within 72 hours of the news cycle for maximum panic-buying. Revenue drops 90% after 2 weeks. But that initial burst funds your next project. Rinse and repeat with every major supply chain incident.

📡 The Software Supply Chain Audit Niche

(I’ve been watching this space heat up for 2 years now.) Every company that ships software — even small ones — is now terrified of being the next CPUID. They need someone to audit their download infrastructure, not their code. Nobody checks whether the API that serves download links is hardened. Nobody.

Position yourself as the “download pipeline auditor.” You don’t need to be a full pentest firm. You just need to check: Are download links served from a separate, hardened system? Are there integrity checks between the build server and the download page? Is there monitoring for link changes?

Most small software companies fail ALL THREE. Charge $500-$2,000 per audit. It’s a 2-day job max.

:brain: Example: A security consultant in São Paulo emails 50 popular free Windows utilities (think Notepad++, 7-Zip, VLC) — “Hey, CPUID just got hit. Want me to check if your download infrastructure has the same weakness? $1,000, 48-hour turnaround.” 6 out of 50 say yes. $6,000 in a week from cold emails.

:chart_increasing: Timeline: First client in 1 week via cold outreach. Sustainable at $4-8K/month if you keep up the outreach. Becomes a real consultancy if you systemize the checklist and hire junior auditors.

🪟 The Patch Window Archivist

Here’s the angle nobody thinks about. When a popular tool gets compromised, every sysadmin on the planet needs to know: “Did I download it during the bad window?” But download logs are garbage. Browser history gets cleared. People don’t remember.

Build a browser extension that passively logs every download with a timestamp and source URL. NOT a keylogger. NOT a spy tool. Just a timestamped receipt of what you downloaded and from where. When incidents like CPUID happen, users can instantly check: “Did I grab CPU-Z during the 6-hour window? Let me check my download ledger.”

Privacy-first, local-only storage, open source the core. Charge for the team/enterprise version that syncs to a dashboard.

:brain: Example: A developer in Krakow, Poland builds “DownloadLedger” as an open-source Firefox/Chrome extension. Posts it on Hacker News and GitHub. Gets 3,000 stars in the first month. Enterprise version with team dashboard launches at $5/user/month. Three small MSPs adopt it. $2,500/month by month two.

:chart_increasing: Timeline: MVP in one weekend (it’s a browser extension that writes to IndexedDB). Enterprise traction in 6-8 weeks. Long-term play — this becomes more valuable with every supply chain incident that drops.

🛠️ Follow-Up Actions
Want To… Do This
Check if you downloaded during the bad window Look for any file named “HWiNFO_Monitor_Setup.exe” in your Downloads folder from April 9-10
Scan for STX RAT specifically Check Kaspersky’s published IOCs and run them against your system
Get clean copies of CPU-Z / HWMonitor Download fresh from cpuid.com — confirmed clean as of April 11
Verify any .exe download in the future Use VirusTotal — drag and drop before you run anything
Protect stored browser passwords Switch to a dedicated password manager like Bitwarden (free) instead of Chrome’s built-in one
Monitor popular download sites for tampering Set up Uptime Kuma with URL change detection

:high_voltage: Quick Hits

Want Do
:magnifying_glass_tilted_left: Check if you’re hit Search your Downloads folder for “HWiNFO_Monitor_Setup.exe” dated April 9-10
:locked_with_key: Protect browser passwords NOW Move everything to Bitwarden — it’s free and Chrome’s password store is literally what this malware targeted
:shield: Verify future downloads Drag every .exe through VirusTotal before running it. Takes 10 seconds
:money_bag: Flip the panic Build an incident-specific scanner and sell it while the news is hot
:satellite_antenna: Long game The “download infrastructure audit” niche is wide open — every small dev shop is scared right now

The official site was the attack. The download button was the weapon. And the only thing that saved people was a wrong filename. Sleep tight.

2 Likes