Last week, the well-known hardware developer CPUID website was attacked by hackers. The hackers replaced the download links of multiple hardware monitoring software such as CPU-Z and HWMonitor. When users run the malicious versions dropped by the hackers, they will be infected with remote access Trojans. To be fair, although software such as CPU-Z is very well-known, the CPUID team is not a large company and therefore does not have the ability to conduct detailed security investigations. Therefore, the details still depend on reports issued by other security companies, such as Kaspersky.
There should be quite a few infected users:
Hardware detection or monitoring software such as CPU-Z and HWMonitor are usually used by professional users. The number of users who actively install such software should not be very large, but even so, Kaspersky has detected at least 150 attacks.
Considering the current usage rate of Kaspersky series of security software around the world, we conservatively guess that the actual number of infected users should be tens of thousands, with most of the infection incidents occurring in Brazil, Russia and China.
The attack occurred from 15:00 UTC on April 9, 2026 to 10:00 UTC on April 10 (Domestic time: 23:00 on April 9, 2026 to 18:00 on April 10, 2026, a total of 19 hours, not the 6 hours previously estimated by CPUID).
If you have downloaded software such as CPU-Z through the CPUID website during the above period, it is recommended to immediately back up the data and reinstall the system. It is best to rotate all the various keys and perform a full scan of the backup files using software such as Kaspersky.
Hackers being lazy leads to lower number of infections:
It is worth noting that the traceability of this attack is very simple, because the hacker reused the domain name that previously released a malicious version of FileZilla, so it is easy to attribute it to the hacker group related to STX RAT.
STX RAT is a remote access Trojan with HVNC (Advanced Virtual Network Control) and powerful information stealing functions. It has functions such as remote control, subsequent payload execution and post-exploitation operations, such as executing EXE/DLL/PowerShell/shellcode in memory. It can also establish a reverse proxy and perform desktop interaction.
The problem is that the hackers were lazy and did not register a new domain name. In the FileZilla poisoning incident (the software itself was not hacked, but the hackers released the poisoned version through the Internet), the relevant C2 domain name has been recorded by the security company.
Therefore, security software such as Kaspersky can directly identify malicious domain names and intercept them. In theory, users who install anti-virus software such as Kaspersky should be intercepted when the malicious version is released, while users who do not install security software may be infected.
Kaspersky said: The overall malware development, deployment and operation capabilities of the hackers behind this attack were quite low, which allowed us to detect and block the attack at an early stage.
learn more:
https://securelist.com/tr/cpu-z/119365/