Recently, hackers hijacked the website of CPUID, the makers of the super popular hardware diagnostic tools CPU-Z and HWMonitor, and used it to serve malware instead of clean downloads in a campaign that ran for around 6 hours.
Reddit user u/DMkiIIer noticed that something was seriously messed up when they tried to update HWMonitor 1.63. The official site served them a deceptively named file, "HWiNFO_Monitor_Setup.exe", which immediately tripped Windows Defender. When they ran it anyway, a Russian-language installer popped up, making it obvious this was not a legitimate update.
CPUID confirmed that CPU-Z was also compromised. The malicious package (cpu-z_2.19-en.zip) contained the legitimate CPU-Z executables, but the attackers bundled a fake, Zig-compiled file named "CRYPTBASE.dll" alongside the clean application. When a user ran the real CPU-Z, the program would unknowingly load this malicious DLL into its memory space first.
Once the malware infected a system, it set out to work, hunting for browser credentials. The payload, identified as an "Alien RAT" variant, operated almost entirely in the computer"s memory to avoid detection from antivirus software and used PowerShell to fetch more instructions from its C2 server and was seen attacking Google Chrome in an attempt to decrypt and steal saved passwords and login tokens.
So, how did this happen? Hackers took over a secondary side API on the cpuid.com website. This allowed them to poison the download distribution links without ever touching CPUID"s source code or build servers. The files themselves do not actually appear to be compromised, as the attackers simply redirected the download buttons to their rogue Cloudflare storage bucket.
As mentioned earlier, CPU-Z and HWMonitor are very popular diagnostic tools. The former is used to identify the exact hardware inside your PC, while the latter monitors system health like temperatures and voltages in real-time. After the alarms were raised about the breach, CPUID quickly took down its website, identified the hijacked side API, fixed the vulnerability, and restored the original, clean download routing.
If you or someone you know downloaded these tools recently (April 9 and April 10), you must assume your system is compromised. Security analysts recommend you reinstall Windows entirely and immediately log out of all active web sessions to invalidate any stolen browser tokens and change every single one of your passwords.