Hackers gained access to the CPUID website's secondary API between April 9 at 15:00 UTC and April 10 at 10:00 UTC. During this time, the site provided malicious download links instead of valid installers for several popular hardware monitoring tools. CPUID confirmed the breach and reported that the affected API has been fixed. They are now offering clean versions of all affected tools.
Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor between April 9 at 15:00 UTC and April 10 at 10:00 UTC may have received modified versions. However, the original signed binaries from CPUID were not altered.
What Malware Was Distributed Through CPUID Downloads?
The malicious downloads were routed through Cloudflare R2 storage and presented a fake HWiNFO installer called HWiNFO_Monitor_Setup, packaged with a Russian Inno Setup wrapper. According to Kaspersky's analysis, the trojan versions contained a legally signed executable file along with a malicious DLL named CRYPTBASE.dll, which was used for DLL side-loading.
The malicious DLL performed anti-sandbox checks before connecting to a command and control server and executed the final payload identified as STX RAT. This remote access trojan has information-stealing capabilities and has been documented by eSentire researchers. The malware operated almost entirely in memory and employed techniques to evade endpoint detection and antivirus software.
The affected four software versions were:
- CPU-Z version 2.19
- HWMonitor Pro version 1.57
- HWMonitor version 1.63
- PerfMonitor version 2.04.
Scope of the CPUID Malware Impact
Kaspersky estimates that over 150 users downloaded a malicious variant during the timeframe. Victims include individuals and organizations from the retail, manufacturing, consulting, telecommunications, and agriculture sectors, primarily located in Brazil, Russia, and China.
The relevant ZIP file was detected by 20 antivirus engines on VirusTotal; some identified it as Tedy Trojan, while others labeled it as Artemis Trojan.
Researchers from vxunderground and Igor's Labs independently verified the compromised download chain. vxunderground noted that the malware used the same command and control address observed in the March campaign featuring the fake FileZilla site used to distribute malicious downloads. This suggests that the same threat actor may be responsible for both incidents.
What Should Affected CPUID Users Do Now?
Users who downloaded any of the four affected tools between April 9 at 15:00 UTC and April 10 at 10:00 UTC should consider their installations potentially compromised. Kaspersky has released indicators of compromise that include malicious files, DLLs, and URLs associated with the attack.
CPUID states that their original signed binaries were not altered and that the valid files' direct download URLs did not change during the incident. Currently, downloads from the CPUID website have been verified as safe.
![The CardPointers app can now integrate with ChatGPT and more [50% off]](/resimler/cardpointers-uygulamasi-artik-chatgpt-ve-daha-fazlasi-ile-entegre-olabiliyor-yuzde-50-indirim.webp)
![iPhone 17e: Apple Finally Got the Affordable iPhone Right [Video]](/resimler/iphone-17e-apple-nihayet-uygun-fiyatli-iphoneu-dogru-yapti-video.jpg)
Comments
(3 Comments)