Visitors to the CPUID website were briefly exposed to malware this week after attackers hijacked part of its backend, turning trusted download links into a delivery mechanism for something far less welcome.

The issue hit tools like HWMonitor and CPU-Z, with users on Reddit and elsewhere starting to notice something wasn't right when installers tripped antivirus alerts or showed up under odd names. One example that did the rounds had the HWMonitor 1.63 update pointing to a file called "HWiNFO_Monitor_Setup.exe," which is not what anyone went there to download, and a pretty clear sign that something upstream had been tampered with.

CPUID has since confirmed the breach, pinning it on a compromised backend component rather than tampering with its software builds.

"Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised)," one of the site's owners said in a post on X. "The breach was found and has since been fixed."

The files themselves appear to have been left alone and remain properly signed, so it doesn't seem like anyone got into the build process. Instead, the problem sat in front of that, in how downloads were being served. For anyone who hit the site during that stretch, though, that distinction offers little comfort. If the link you clicked had been swapped out, you were pulling whatever it pointed to, whether you realized it or not.

Analysis shared by vx-underground says the malicious installer appears to have targeted 64-bit HWMonitor users and included a fake CRYPTBASE.dll designed to blend in with legitimate Windows components. That DLL then reached out to a command-and-control server to pull down additional payloads.

From there, things escalate. Analysis suggests the malware tries to stay off disk as much as possible, leaning on PowerShell and running largely in memory. It also pulls down additional code and compiles a .NET payload on the victim machine before injecting it into other processes. There are also signs it's going after browser data. In testing, it was seen interacting with Google Chrome's IElevation COM interface, which can be used to access and decrypt stored credentials.

The same analysis suggests links to infrastructure used in earlier campaigns, including one targeting FileZilla users, hinting that this wasn't a one-off experiment but part of a broader playbook.

CPUID says the issue is now fixed, but there's still no detail on how that API was accessed or how many people actually pulled the bad downloads. Even so, it's another reminder that attackers don't need to touch the code itself to cause harm. ®