CPUID: Malware distributed for several hours due to vulnerability

Anyone who downloaded the system analysis tools from the CPUID website, such as CPU-Z or HWMonitor, on Thursday or Friday of the past week, i.e., April 9th or 10th, 2026, should scan their computer for malware. The website randomly served links to malware instead of the regular installation packages for several hours on those days.

A document by IT researcher nemesis on GitHub describes the exact incident with in-depth malware analysis. According to it, attackers were able to compromise the CPUID website via a vulnerability in an API. The website consequently displayed malicious links randomly. However, the signed original files were not altered.

Manipulated Download Packages

The analysis describes that the malware packages had credible file names like “cpu-z_2.19-en.zip” and contained the legitimate CPU-Z files, along with a malicious CRYPTBASE.dll. This exploits the default Windows search order, which looks for this file first in the current directory and only then in system directories. This allows the malicious code to be executed through this so-called “DLL Sideloading” vulnerability. After execution, a multi-stage infection chain follows. A backdoor recognized by Kaspersky as “Backdoor.Win64.Alien” is persistently anchored in the system. The analysis provides various indicators of compromise (IOC).

According to the analysis by vxunderground on Bluesky, the attack was discovered around 1 AM Central European Time on Friday (7 pm EST). The HWMonitor package was also available for download in a manipulated version. A further comment refers to a statement by the CPU-Z and HWMonitor maintainer @d0cTB. According to him, investigations were ongoing, but an API for secondary website functions appears to have been compromised for about six hours. This caused the main page to display malicious links randomly. The signed original files were not compromised. The intrusion was discovered and subsequently stopped.

According to the in-depth analysis by nemesis, this was a supply chain attack where the official CPUID download infrastructure delivered malicious files. The download links were redirected to Cloudflare C2 storage instead of pointing to CPUID's standard infrastructure. The attackers delivered their own trojanized packages, which were noticeable by Russian-language installers; the signed original installers were not manipulated. Thus, there were two variants of the manipulated packages: the executable InnoSetup installers and the newly packaged .zip files with the additional malicious CRYPTBASE.dll. The analysis also mentions a similar malware campaign against FileZilla in early March 2026, suggesting the same attackers.

Anyone who downloaded software from CPUID during the relevant period should check if it is one of the known malware variants. Most scanners on VirusTotal should now flag them.

Supply chain attacks affect many companies. For example, about two weeks ago, attackers gained access to internal Cisco data through a supply chain attack on LiteLLM, accessing internal Cisco data. Source code and customer data were reportedly stolen.

(dmk)