Full Report
Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]
Analysis Summary
# Incident Report: CPUID Supply Chain Poisoning via API Compromise
## Executive Summary
In April 2026, the official CPUID website was targeted in a supply chain attack where hackers compromised a secondary API to redirect official download links to malicious executables. The attack served a multi-staged, trojanized loader masquerading as hardware monitoring software (specifically a fake HWiNFO installer) to users of CPU-Z and HWMonitor. The incident lasted approximately six hours and is attributed to a threat actor previously seen targeting FileZilla users.
## Incident Details
- **Discovery Date:** April 10, 2026
- **Incident Date:** April 9, 2026 – April 10, 2026
- **Affected Organization:** CPUID
- **Sector:** Software Development / Utilities
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 9, 2026 (Evening)
- **Vector:** Exploitation of a secondary "side API" feature.
- **Details:** Attackers gained access to a secondary website API while the lead developer was on holiday, allowing them to modify the download links served on the main website portal.
### Lateral Movement
- **Details:** Information restricted; the report focuses on the compromise of the web infrastructure rather than internal network movement.
### Data Exfiltration/Impact
- **Impact:** Poisoned download links randomly served a malicious file titled `HWiNFO_Monitor_Setup` hosted on Cloudflare R2 storage instead of the legitimate CPU-Z/HWMonitor binaries.
### Detection & Response
- **Detection:** Users on Reddit and researchers at Igor’s Labs and @vxunderground identified the anomalies (Russian Inno Setup wrappers and Cloudflare R2 redirects) and reported them publicly.
- **Response Actions:** CPUID identified the breach in the side API, removed the malicious links, and restored legitimate download paths within six hours of initial compromise.
## Attack Methodology
- **Initial Access:** API Compromise (Secondary feature/Side API).
- **Persistence:** Not explicitly detailed; focused on the duration of the web redirect.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Use of file masquerading (masquerading as HWiNFO), multi-staging, in-memory operation, and proxying NTDLL functionality from a .NET assembly to evade EDR/AV detection.
- **Credential Access:** Likely used as an infostealer (per VirusTotal researcher consensus).
- **Discovery:** Targeted widely used system utilities to maximize reach.
- **Lateral Movement:** N/A (External supply chain focus).
- **Collection:** Infostealing capabilities targeting user data.
- **Exfiltration:** Standard malware C2 communication (implied).
- **Impact:** Supply chain contamination/Software poisoning.
## Impact Assessment
- **Financial:** Unknown; potential for theft via infostealer payloads.
- **Data Breach:** Compromised an unknown number of user systems via trojanized downloads.
- **Operational:** Six-hour window where official site served malware; API functionality temporarily disabled/fixed.
- **Reputational:** High; CPUID tools have millions of users who rely on the integrity of these binaries for system specification monitoring.
## Indicators of Compromise
- **Network indicators:** hxxps[://]cpuid[.]com (compromised distribution point); Cloudflare R2 storage URLs used for malware hosting.
- **File indicators:**
- `HWiNFO_Monitor_Setup` (Malicious installer)
- `eff5ece65fb30b21a3ebc1ceb738556b774b452d13e119d5a2bfb489459b4a46` (SHA-256)
- **Behavioral indicators:** Inno Setup wrappers displaying Russian language; atypical redirect to Cloudflare R2 from a primary software domain.
## Response Actions
- **Containment:** Identified and disabled the compromised secondary API feature.
- **Eradication:** Removed malicious download links and purged Cloudflare R2 redirects.
- **Recovery:** Restored direct download links to the original, signed, and clean `hwmonitor_1.63.exe` and CPU-Z binaries.
## Lessons Learned
- **API Security:** Secondary or "side" APIs often have weaker security posture than primary systems but can have high-impact consequences if they control UI elements like download buttons.
- **Monitoring during Leave:** Attackers intentionally timed the breach during the lead developer's absence, highlighting the need for robust coverage during holiday periods.
- **Community Intelligence:** User-led platforms (Reddit) and independent researchers provided the fastest detection signals for the organization.
## Recommendations
- **API Hardening:** Conduct regular security audits of all public-facing APIs, including secondary or legacy features.
- **Subresource Integrity (SRI):** Implement checks to ensure that the files served via links match expected cryptographic hashes.
- **Enhanced Monitoring:** Implement integrity monitoring on the website's CMS or backend to alert when critical download URLs are modified.
- **Multi-Factor Authentication (MFA):** Ensure MFA is enforced across all administrative interfaces and API management consoles.