For the past few years, there have been warnings online that software should always be downloaded from trusted sources - and preferably from the developers' own websites.
But even this advice doesn't always help.
The official website for HWMonitor and CPU-Z, hugely popular programs among PC enthusiasts, was successfully hijacked. Both programs are developed by the same company, CPUID, and both programs are available for download through the same site.
The perpetrators who hijacked the site did not cause any easily noticeable damage to the sites; instead, they only changed the official download links for both programs to point to fake download files containing malware. The issue came to light when users who had downloaded the programs started complaining on social media about how antivirus software completely freaked out over recently downloaded CPU-Z or HWMonitor. Some users also contacted CPUID directly.
CPUID managed to rectify the situation six hours after the site's download links were changed to point to installation files containing malware. However, users who downloaded either program from its official site between April 9, 2026, and April 10, 2026, also received malware on their computers as a bonus with the program. According to the company's statement (X/Twitter), the incident was caused by a vulnerability in CPUID's API interface, which attackers successfully exploited.
The attackers did not manage to modify the actual, legitimate installation files in any way; instead, in the attack, users' downloads were redirected to unofficial installation files - that is, ones that had malware combined alongside the actual CPU-Z or HWMonitor installation file.
The malicious installer contained a fake CRYPTBASE.DLL file, which masqueraded as a Windows system component. This file connected to a command server and downloaded additional malware code onto the victim's machine. Particularly concerning was that the malware aimed to stay off the hard drive as much as possible and operated mainly in the computer's RAM, utilizing, for example, PowerShell commands. This allowed it to evade many traditional anti-malware detection methods.
Based on analyses by third parties (X/Twitter), the primary goal of the malware was to steal usernames and passwords stored in browsers - especially Chrome. The malicious code was observed interacting with Chrome's API, which can be used to decrypt and collect passwords.
Windows' own antivirus, Windows Defender, and other common antivirus programs detected the malware already when it was attempted to be installed. Thus, damage has primarily occurred to those users who chose to disregard antivirus warnings and installed the infected version of CPU-Z or HWMonitor despite the warnings.
According to CPUID, it cannot estimate how many users downloaded the infected installer from its site during those six hours. However, if you installed or updated either program on April 9th or 10th, it is recommended to run an antivirus scan on your computer immediately.
The official website for HWMonitor and CPU-Z, hugely popular programs among PC enthusiasts, was successfully hijacked. Both programs are developed by the same company, CPUID, and both programs are available for download through the same site.
The perpetrators who hijacked the site did not cause any easily noticeable damage to the sites; instead, they only changed the official download links for both programs to point to fake download files containing malware. The issue came to light when users who had downloaded the programs started complaining on social media about how antivirus software completely freaked out over recently downloaded CPU-Z or HWMonitor. Some users also contacted CPUID directly.
CPUID managed to rectify the situation six hours after the site's download links were changed to point to installation files containing malware. However, users who downloaded either program from its official site between April 9, 2026, and April 10, 2026, also received malware on their computers as a bonus with the program. According to the company's statement (X/Twitter), the incident was caused by a vulnerability in CPUID's API interface, which attackers successfully exploited.
The attackers did not manage to modify the actual, legitimate installation files in any way; instead, in the attack, users' downloads were redirected to unofficial installation files - that is, ones that had malware combined alongside the actual CPU-Z or HWMonitor installation file.
The malicious installer contained a fake CRYPTBASE.DLL file, which masqueraded as a Windows system component. This file connected to a command server and downloaded additional malware code onto the victim's machine. Particularly concerning was that the malware aimed to stay off the hard drive as much as possible and operated mainly in the computer's RAM, utilizing, for example, PowerShell commands. This allowed it to evade many traditional anti-malware detection methods.
Based on analyses by third parties (X/Twitter), the primary goal of the malware was to steal usernames and passwords stored in browsers - especially Chrome. The malicious code was observed interacting with Chrome's API, which can be used to decrypt and collect passwords.
Windows' own antivirus, Windows Defender, and other common antivirus programs detected the malware already when it was attempted to be installed. Thus, damage has primarily occurred to those users who chose to disregard antivirus warnings and installed the infected version of CPU-Z or HWMonitor despite the warnings.
According to CPUID, it cannot estimate how many users downloaded the infected installer from its site during those six hours. However, if you installed or updated either program on April 9th or 10th, it is recommended to run an antivirus scan on your computer immediately.
