The CPUID website, developer of the well-known hardware detection tool CPU-Z and hardware monitoring tool HWMonitor, was recently attacked by hackers. The hackers invaded the website's server through unknown means, and then randomly displayed malicious links on the website and induced users to download them.
Initially, Reddit netizens discovered a problem when trying to update HWMonitor v1.63: CPUID provided a very confusing file HWiNFO_Monitor_Setup.exe, which immediately triggered a security warning from Microsoft Defender.
When the user thought it was a false alarm and ignored the warning and continued to run, the Russian installer unexpectedly popped up. This was obviously abnormal, so the netizen interrupted the installation and posted on Reddit to remind other netizens to pay attention to this security issue.
After receiving relevant feedback, CPUID officially confirmed that the website was hacked. From April 9 to 10, 2026 local time, the website was hacked for about 6 hours. However, more details need to be investigated, and the original files of the relevant applications have not been tampered with.
How malware works:
The malware delivered by the hackers contains normal CPU-Z software, but the hackers bundle a malicious file named CRYPTEBASE.dll inside, which is loaded into memory when the user runs CPU-Z.
When the malicious file starts running, it will automatically search for browser credentials, and can call PowerShell to obtain more instructions from the C2 server, including trying to decrypt various account passwords saved locally by the Chrome browser.
CPUID Website auxiliary API is controlled by:
Judging from the current analysis, hackers control the auxiliary API on the CPUID website in some way, which allows the hacker to tamper with the download link without touching the source code server. The CPUID-related software itself has not been tampered with. The hacker mainly replaces the download link with the address of the malicious program.
Considering the harmfulness of these malicious files, it is recommended that users who downloaded and installed CPU-Z and HWMonitor from the CPUID official website from April 9 to 11, 2026, directly reinstall the system, and at the same time modify various account passwords to ensure safety.
In addition, for network sessions that can be logged out (such as Chrome browser login status), it is recommended to log out of the session directly, which can force any stolen tokens to expire and improve security.