Attackers compromised CPUID's website on April 9 and replaced download links for CPU-Z and HWMonitor with links to their own infrastructure. The installers users received carried a remote access trojan. The actual software builds were never touched.

On April 9, 2026, someone compromised a backend component of CPUID's website and replaced the download links for CPU-Z and HWMonitor with links pointing to attacker-controlled infrastructure. Anyone who downloaded either tool during that window got a trojaned installer instead of the real thing. The window lasted roughly six hours. CPUID's own signed binaries were never modified. The attack never needed to touch them.

The malware delivered was STX RAT. It used a fake CRYPTBASE.dll placed alongside the legitimate application executable. When the installer ran, Windows loaded the malicious DLL instead of the real system component, a technique called DLL sideloading. From there the payload ran almost entirely in memory, compiled .NET code on the fly, injected into other processes, and went after browser credentials. It specifically targeted Chrome's credential storage using a COM interface called IElevation. It also went after cryptocurrency wallets. Kaspersky identified more than 150 victims. The real number is almost certainly higher.

CPUID described the compromised component as "a secondary feature, basically a side API" that caused the site to display malicious links. The core binaries were untouched, which is true, and also not the point. The attack did not need to modify the software. It needed to control what URL appeared when a user clicked download. That was enough. Attackers used Cloudflare R2 storage and a domain with a Cyrillic header to host the replacement installers. The files were named things like HWiNFO_Monitor_Setup.exe instead of the expected naming convention, which is the detail that eventually gave it away.

It was Reddit users who noticed first. AV tools flagged the downloads and people compared notes. CPUID confirmed the breach after the community had already identified it. The same C2 infrastructure had been used in a previous campaign that trojaned FileZilla installers, which means whoever ran this had done it before and was reusing working kit.

CPU-Z and HWMonitor are tools that people download specifically to read hardware data. They are widely trusted, widely used, and hosted on a site that most people treat as authoritative. The attack worked by exploiting that trust. When you download from an official source, you are trusting the entire delivery chain, not just the files at the end of it. A compromised download URL is as dangerous as a compromised binary. The signed, unmodified software sitting on CPUID's servers was irrelevant once the link pointing to it was replaced.

If you downloaded CPU-Z or HWMonitor between roughly 15:00 UTC on April 9 and 10:00 UTC on April 10, assume the installer was malicious. Change passwords, check crypto wallets, review account activity. A clean OS install is the most reliable fix. Running a scan on a system that has already executed an in-memory RAT is not a guarantee of anything.

Blackout VPN exists because privacy is a right. Your first name is too much information for us.

Tip: Trusting an official site means trusting every layer of infrastructure between you and the download button

Which tools were affected

CPU-Z and HWMonitor, both developed by CPUID. The compromised download links served trojaned versions of both tools during the six-hour window on April 9–10, 2026.

Was the actual software modified

No. CPUID confirmed the original signed binaries were never altered. The attack replaced the download URLs, not the software files themselves.

What does STX RAT do

It runs in memory, targets browser-stored credentials including Chrome passwords, and goes after cryptocurrency wallets. It also gives attackers remote access to the infected machine for follow-on actions.

How was it discovered

Reddit users noticed antivirus alerts and unusual installer filenames. CPUID confirmed the breach after community reports, not through internal detection.

What should you do if you downloaded during the window

Change all passwords, check cryptocurrency wallets, and review account activity for anything unusual. A clean OS reinstall is the most reliable way to confirm the system is clear.

Originally published at https://blackoutvpn.au on April 13, 2026.