CPUID breach put CPU-Z downloads at malware risk

CPUID breach turned trusted CPU-Z and HWMonitor downloads into a malware risk

Published 10 Apr 2026, 18:05 Updated 11 May 2026, 08:39 3 min read Talia Emily Rogic (Editor-in-Chief & Founder)

CPUID Website Breached, Serving Malware via CPU-Z and HWMonitor Downloads

Attackers briefly abused CPUID’s official download infrastructure, redirecting some CPU-Z and HWMonitor users to trojanized files.

CPUID’s official download infrastructure was briefly abused in April to push malicious files to some users trying to download CPU-Z, HWMonitor and related tools. The incident matters because these utilities are widely used by PC builders, reviewers, overclockers and support technicians who normally treat CPUID’s website as a trusted source.

The confirmed picture is narrower than a full compromise of the tools themselves. Reporting and technical analysis indicate that attackers manipulated website download links through a secondary API or related web function. The original signed CPUID binaries were not described as altered; the risk came from users being redirected to lookalike or trojanized packages during the attack window.

What happened during the attack window

Heise reported that visitors downloading CPUID system analysis tools on April 9 or 10, 2026 may have been served links to malware instead of the regular installation packages. The same reporting described the exposure as lasting several hours and linked the incident to a compromised API rather than to the core software builds being rewritten.

Technical write-ups described malicious packages that included legitimate-looking components alongside a harmful CRYPTBASE.dll file. That pattern points to DLL sideloading, a method in which a trusted executable loads a malicious library placed in the same directory. Once launched, the infection chain could then attempt further execution and persistence.

Why this was not just a fake download site

The risk was more serious than a common search-ad or typo-domain scam because users could reach the official CPUID site and still encounter malicious download links. That is why the incident belongs in the software supply-chain and watering-hole category: attackers abused trust in a legitimate distribution channel.

Security coverage from Tom’s Hardware and TechRadar also stressed that the original signed files were not necessarily the compromised element. For users, however, that distinction does not reduce the practical risk. A person who downloaded during the affected window may still need to scan the system, check file hashes where possible and consider changing sensitive credentials if malware execution is suspected.

What users should do now

Anyone who downloaded CPU-Z, HWMonitor, HWMonitor Pro or PerfMonitor from CPUID during the affected period should remove suspicious installer archives, run a reputable security scan and download fresh copies directly from the vendor after the issue was resolved. Users should also be wary of installers with unexpected names, unusual languages, unfamiliar setup wrappers or antivirus warnings.

For IT teams, the incident is another reminder that “official website” does not automatically mean “safe package” when a distribution layer is compromised. Endpoint monitoring, application allow lists, vendor hash checks and network indicators can help reduce the damage window when trusted utilities are targeted.

The broader lesson

CPUID’s breach fits a wider pattern in which attackers target the path between software publisher and user, not only the software code itself. Popular diagnostic tools are attractive because they are often downloaded by technical users with elevated privileges and because they are trusted enough to bypass normal suspicion.

The event does not prove that CPU-Z or HWMonitor are inherently unsafe. It is instead a warning about download-chain integrity. Even trusted utilities need verified distribution, and users who downloaded during a known compromise window should treat that specific installation path as suspect until it has been checked.

Source references

Heise: CPUID malware distributed for several hours - Used for the affected tools, April 9-10 timing and API/download-link compromise description.
Tom’s Hardware: CPUID breached, CPU-Z and HWMonitor malware - Used for independent reporting on the six-hour window, download redirection and original signed files remaining intact.
TechRadar: CPUID download page hacked - Used for DLL sideloading and malware behaviour context.
Nemesis technical gist: CPU-Z 2.19 Supply Chain Attack Analysis - Used as a technical reference for the CRYPTBASE.dll sideloading and infection-chain details.