Attackers gained unauthorized access to an API associated with the **CPUID** project, leading to the distribution of malware through manipulated download links on the official website. The affected software includes the widely-used **CPU-Z** and **HWMonitor** tools, which are relied upon by millions for hardware monitoring and system specification analysis. ### Trojanized Downloads Reports surfaced on Reddit about the official download portal redirecting users to a **Cloudflare** R2 storage service, serving a trojanized version of **HWiNFO**, a diagnostic and monitoring tool developed by a different vendor. The malicious file, named `HWiNFO_Monitor_Setup`, exhibits suspicious behavior, including launching a Russian installer wrapped in Inno Setup. This deviates from the typical installation process and raises significant red flags. Users noted that downloading the genuine `hwmonitor_1.63.exe` directly from its URL remained possible, suggesting that the original binaries were not directly compromised. However, the distribution links were clearly poisoned to serve the malicious payload. ### Advanced Loader Security researchers at Igor’s Labs and @vxunderground confirmed the externalized download chain, highlighting the involvement of a sophisticated loader employing known techniques, tactics, and procedures (TTPs). >“As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware,” >“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.” ### Targeting Widely Used Utilities The same threat group is suspected of targeting users of the **FileZilla** FTP solution last month, indicating a pattern of targeting widely adopted utilities to maximize impact. The malicious ZIP archive has been flagged by multiple antivirus engines on **VirusTotal**, with some identifying it as Tedy Trojan or Artemis Trojan. Some researchers assess the fake **HWiNFO** variant as an infostealer. ### CPUID's Response **CPUID** issued a statement acknowledging the breach: >"Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised). The breach was found and has since been fixed." - **CPUID** **CPUID** also noted that the incident occurred while the main developer was on holiday. Currently, **CPUID** claims to have resolved the issue and is now distributing clean versions of both **CPU-Z** and **HWMonitor**.