The CPUID website, known for popular utilities like CPU-Z and HWMonitor, is currently involved in a significant security breach impacting its supply chain. Users who have downloaded HWMonitor 1.63 or CPU-Z since early April have reportedly been exposed to trojanized installers. These malicious files are capable of deploying harmful DLLs, evading antivirus detection through memory-based execution, and connecting to attacker-managed infrastructures.
Details of the Security Incident
On April 10, 2026, discussions emerged on platforms like Reddit, highlighting a troubling trend. Users attempting to download HWMonitor from the official CPUID site found themselves receiving a file named HWiNFO_Monitor_Setup.exe instead of the expected hwmonitor_1.63.exe. This discrepancy in filenames seems to be a deliberate attempt to confuse users by merging names of reputable hardware monitoring tools—CPUID and HWMonitor.
Chris Titus, a technology content creator, confirmed the compromise of both CPU-Z and HWMonitor. Via social media, he emphasized the sophisticated nature of the malware, which originates from the compromised CPUID domain.
Technical Mechanisms Behind the Threat
Community reports also indicated Windows Defender alerts, Russian text within installation dialogs, and multiple detections on VirusTotal. The malicious payload primarily employs DLL hijacking, with cryptbase.dll frequently observed, allowing for persistent and stealthy operations by circumventing traditional antivirus checks.
The exact method of compromise has not yet been fully determined. The CPUID website serves HWMonitor files from varied infrastructures: the setup installer from download.cpuid.com and the ZIP files from a Cloudflare R2 domain. This separation could signify a potential manipulation point.
Recommended User Actions and Future Outlook
At this time, download links on cpuid.com are resulting in 404 errors, possibly indicating that the site operators have removed the affected files. Although CPUID has yet to release an official statement, they are reportedly investigating the issue. Security experts have flagged the installer samples on VirusTotal as multi-stage threats, urging users to exercise caution.
Users are advised to refrain from downloading from cpuid.com until a verified resolution is announced. Those who have downloaded the tools post-April 3, 2026, should conduct immediate system scans and look for cryptbase.dll as a compromise indicator. Switching to HWiNFO, a reliable alternative, is also recommended. This incident underscores the potential risks even trusted diagnostic tools can pose if the supporting infrastructure is compromised.
