The official download page for CPUID, the company behind widely used PC monitoring tools CPU-Z and HWMonitor, has been compromised. Download links on the page now serve malware-laden files rather than legitimate installers. Anyone who has downloaded either tool from CPUID’s site recently should run a full system scan immediately.
The compromise was spotted by Reddit users DMkiIIer and OthoAi5657 and subsequently confirmed by cybersecurity research group vx-underground on X. CPU-Z and HWMonitor are among the most frequently used tools by PC enthusiasts and hardware reviewers for reading system information, checking CPU clocks, and monitoring temperatures.
What the altered files look like
From the outside, CPUID’s download page appears unchanged. The links seem legitimate and produce files with plausible names. But instead of the expected filename, such as hwmonitor_1.63.exe, the downloaded file arrives as HWiNFO_Monitor_Setup.exe, an apparent attempt to mimic the name of HWInfo, a separate, unrelated, and unaffected tool. The installation screen uses a different wrapper than the real software and presents in Russian as the setup language. Antivirus software flags the files immediately on launch.
The filename mismatch caused some users to report HWInfo as compromised on social media. vx-underground and others have since clarified that HWInfo is not involved in any way.
A multi-stage, in-memory attack
vx-underground described the malware as well beyond a basic file swap. In their words: “This is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain, performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”
The group also linked this campaign to a separate attack from early March 2026 that used the same techniques to trojanize FileZilla, a popular FTP client. As vx-underground put it: “They’ve been busy.”
The identity of the threat group behind both campaigns is not yet known. The pattern of targeting widely downloaded, trusted software tools suggests the attackers are looking for high-volume distribution through legitimate-looking sources.
How to protect yourself
Running a full scan with an updated antivirus or antimalware tool is the immediate step for anyone who has downloaded CPU-Z or HWMonitor recently. For future downloads, comparing the filename, file size, and digital signature of any installer against known-good versions can reveal tampering. Downloading the same file from multiple sources and verifying all copies are identical adds another layer of verification.
CPUID had not issued a public statement at the time of writing, and it was not confirmed whether the compromised links had been removed from the download page.