CPU-Z and HWMonitor compromised

Summary

Visitors to the CPUID website were briefly exposed to malware this week after attackers hijacked part of its backend, turning trusted download links into a delivery mechanism for something far less welcome. The issue hit tools like HWMonitor and CPU-Z, with users on Reddit and elsewhere starting to notice something wasn't right when installers tripped antivirus alerts or showed up under odd names. One example that did the rounds had the HWMonitor 1.63 update pointing to a file called "HWiNFO_Monitor_Setup.exe," which is not what anyone went there to download, and a pretty clear sign that something upstream had been tampered with. CPUID has since confirmed the breach, pinning it on a compromised backend component rather than tampering with its software builds. "Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised)," one of the site's owners said in a post on X. "The breach was found and has since been fixed." The files themselves appear to have been left alone and remain properly signed, so it doesn't seem like anyone got into the build process. Instead, the problem sat in front of that, in how downloads were being served. For anyone who hit the site during that stretch, though, that distinction offers little comfort. If the link you clicked had been swapped out, you were pulling whatever it pointed to, whether you realized it or not. Analysis shared by vx-underground says the malicious installer appears to have targeted 64-bit HWMonitor users and included a fake CRYPTBASE.dll designed to blend in with legitimate Windows components. That DLL then reached out to a command-and-control server to pull down additional payloads. From there, things escalate. Analysis suggests the malware tries to stay off disk as much as possible, leaning on PowerShel...