The official CPUID website was recently targeted in a supply chain attack that briefly compromised download links for its most popular tools for a 6-hour window between April 9 and April 10, 2026. While the developers have since secured the site and confirmed that their original signed binaries remained safe, users who downloaded software during this timeframe should check their systems immediately for potential infection.
The Attack Details #
Attackers compromised a “secondary API” on the CPUID website, allowing them to randomly swap legitimate download links with malicious ones. The hijacked links pointed to a trojanized installer cleverly named HWiNFO_Monitor_Setup.exe, using the name of a different hardware tool to trick users into thinking the download was legitimate.
The “STX RAT” Malware: The malicious package contained the STX RAT, a sophisticated “infostealer” that operates primarily in-memory to evade standard antivirus detection. Once executed, its goal is to exfiltrate sensitive data, including:
- Saved browser passwords and session cookies.
- Cryptocurrency wallet information.
- System metadata for remote access.
How the malware works #
The attack utilizes a technique known as DLL Sideloading. When the compromised installer is executed, it places a malicious file named CRYPTBASE.dll into the same directory as the legitimate program.
When the affected software (such as CPU-Z) is launched, it is designed to search its local folder for necessary system files before checking the Windows system directories.
The software unknowingly loads the malicious CRYPTBASE.dll instead of the authentic version.
Because the code is executed through a trusted, signed application, the malware can bypass many standard security alerts. It then operates almost entirely in the system’s memory (RAM), allowing it to remain active while avoiding detection from traditional disk-based antivirus scans.
Affected software version #
The following 64-bit versions were impacted during the 6-hour breach:
- HWMonitor (v1.63)
- CPU-Z (v2.19)
- HWMonitor Pro (v1.57)
- PerfMonitor (v2.04)
How to Check and Fix:
- Check Filenames: If your installer was named
HWiNFO_Monitor_Setup.exeor appeared in Russian, it is malicious. - Check Folders: Look for a file named
CRYPTBASE.dllinside your installation folder. This file is used for DLL sideloading and is not part of the official CPUID software.
Action: If infected, delete the installer, run an offline virus scan like Windows Defender Offline, and reset your passwords immediately.
Current Status: CPUID has fixed the API vulnerability, and all official links are now serving safe files once again.