A major security incident has hit users of popular PC tools after hackers briefly compromised the official website of CPUID. The attackers replaced legitimate downloads of CPU-Z and HWMonitor with malware-infected files in what appears to be a supply chain-style attack.
The breach reportedly lasted for about six hours. During this time, users downloading the tools from the official site were unknowingly served malicious installers instead of clean files.
The issue first came to light when a Reddit user noticed suspicious behavior while updating HWMonitor version 1.63. The downloaded file had a misleading name and triggered security warnings. When executed, it showed a Russian-language installer, clearly indicating something was wrong.
CPUID later confirmed that both CPU-Z and HWMonitor downloads were affected. In the case of CPU-Z, the attackers used a more advanced method. The malicious package included the original CPU-Z files but added a fake DLL file named “CRYPTBASE.dll”. When users launched CPU-Z, the system would load this malicious file first. This allowed the malware to run silently in the background without raising immediate suspicion.
Security analysis found that the payload was a variant of Alien RAT. This type of malware operates mainly in system memory, which makes it harder for antivirus tools to detect.
Once active, it targeted web browsers, especially Google Chrome. The malware attempted to extract saved passwords, login tokens, and other sensitive data. It also used PowerShell to connect to a remote command and control server for further instructions.
Interestingly, the attackers did not breach CPUID’s core systems or software code. Instead, they took control of a secondary API used on the website. This allowed them to redirect download links to a malicious storage location hosted via Cloudflare. As a result, users clicking the official download buttons were sent infected files without any visible signs of tampering.
After the issue was reported, CPUID quickly took its website offline. The company identified the compromised API, fixed the vulnerability, and restored clean download links.
The original software files themselves were not altered. The attack was limited to the distribution process.
Anyone who downloaded CPU-Z or HWMonitor between April 9 and April 10 should assume their system may be compromised. They must take immediate actions to clean their system. They should reinstall Windows, log out of all active sessions, and change all account passwords. This is important because stolen browser tokens can allow attackers to access accounts even without passwords.
