CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromise of CPUID distribution channels delivers trojanized system monitoring tools

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor compromised an API used by the CPUID project to replace official download links for CPU-Z and HWMonitor with malicious executables for at least six hours between April 9 and April 10, 2026. The malicious payload, distributed as HWiNFO_Monitor_Setup.exe, is a multi-stage trojanized installer that leverages an Inno Setup wrapper and a Russian installer component, operating primarily in-memory to evade detection. The campaign specifically targeted users of widely used system monitoring utilities, and forensic analysis indicates advanced evasion techniques such as proxying NTDLL functionality from a .NET assembly. The compromise was limited to distribution links; signed original binaries were not altered. CPUID reported that the developer was unavailable during the incident, and affected users are advised to verify downloads from trusted sources.

Timeline

  1. 10.04.2026 16:12 1 articles · 2h ago

    Trojanized system monitoring utilities distributed via compromised CPUID API

    Between April 9 and April 10, 2026, a compromised API at CPUID served malicious versions of CPU-Z and HWMonitor via official download links. The malicious payload (HWiNFO_Monitor_Setup.exe) was a multi-stage installer operating primarily in-memory, using evasion techniques such as NTDLL proxying from a .NET assembly. The compromise was limited to distribution links; signed original binaries were not altered. CPUID confirmed the breach and has since restored clean versions.

    Show sources
    Open in new tab

Information Snippets

  • Compromised API led to malicious download links for CPU-Z and HWMonitor on CPUID’s official website between April 9 and April 10, 2026, for approximately six hours.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • Malicious payload named HWiNFO_Monitor_Setup.exe delivered via Cloudflare R2 storage, masquerading as a diagnostic tool installer.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • The installer uses an Inno Setup wrapper with a Russian installer component and operates primarily in-memory with advanced evasion techniques.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • Forensic analysis indicates the malware proxies NTDLL functionality from a .NET assembly to evade endpoint detection and response (EDR) or antivirus systems.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • The threat actor previously targeted FileZilla FTP client users in March 2026, suggesting focus on widely used utilities.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • VirusTotal detection shows the fake HWiNFO variant flagged by 20 antivirus engines, with classifications including Tedy Trojan, Artemis Trojan, and infostealer malware.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • CPUID confirmed the signed original binaries were not compromised; the breach was limited to distribution links. The developer was unavailable during the incident.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources

  • CPUID has since restored clean versions of CPU-Z and HWMonitor on the official website.

    First reported: 10.04.2026 16:12
    1 source, 1 article
    Show sources