CPUID has confirmed a software supply chain attack that briefly compromised the official download infrastructure for its popular hardware monitoring tools, CPU‑Z and HWMonitor. During a limited exposure window, attackers manipulated download links on the CPUID website, causing users to receive trojanized installers that delivered malware instead of the legitimate utilities. Read this Cybersecurity Threat Advisory to reduce you and your clients’ risk.
What is the threat?
This incident represents a supply chain compromise of CPUID’s official software distribution channel. Attackers altered download links on cpuid.com to redirect users to attacker‑controlled infrastructure hosting malicious executables disguised as legitimate installers.
Users who downloaded CPU‑Z or HWMonitor during the exposure window may have unknowingly executed malware. Key characteristics include:
- Compromise of a secondary API controlling download redirection, not the code‑signing process
- Delivery of malicious installers via links presented on the official CPUID website
- Use of file masquerading and in‑memory execution
- Techniques designed to evade antivirus and endpoint detection and response (EDR) tools
Why is it noteworthy?
This campaign is significant because:
- Users followed normal, trusted behaviors by downloading software directly from the official CPUID website, undermining traditional trust assumptions
- CPU‑Z and HWMonitor are used by millions of individuals, including IT professionals and enterprise environments, increasing the potential blast radius
- Researchers observed multi‑stage execution, in‑memory operation, and anti‑analysis techniques, indicating a higher‑than‑average level of sophistication
- Even though the incident lasted only several hours, affected endpoints could be fully compromised with minimal user interaction beyond installation
What is the exposure or risk?
Organizations may be at risk if they have:
- Systems that downloaded CPU‑Z, HWMonitor, or related CPUID tools from cpuid.com during the compromise window
- Endpoints lacking behavior‑based detection capable of identifying in‑memory loaders
- Enterprise environments where these utilities are allowed without additional application controls or allow‑listing
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and secure environments:
- Identify potentially affected endpoints by reviewing download and installation activity for CPU‑Z and HWMonitor during the reported time frame
- Uninstall any affected utilities and re‑download only from confirmed clean sources after vendor remediation
- Perform full endpoint scans, with particular focus on detecting memory‑resident threats
References
For more in-depth information about the recommendations, please visit the following links:
- CPUID hacked to deliver malware via CPU-Z, HWMonitor downloads
- CPUID compromised, HWMonitor and CPU-Z delivered malware | Cybernews
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.