Warning: Official CPU-Z and HWMonitor Tools Infected With Malware

April 10, 2026 Rachel Kim – Technology Editor Technology

The official website of CPUID was compromised on April 10, 2026, resulting in the distribution of multi-stage, evasive malware through download links for the Windows utilities CPU-Z and HWMonitor.

Community reports, primarily originating from Reddit, indicate that users attempting to download HWMonitor 1.63 received a malicious installer named HWiNFO_Monitor_Setup.exe instead of the expected hwmonitor_1.63.exe. These installers featured Russian-language dialog boxes and utilized an unusual Inno Setup wrapper, triggering immediate warnings from Windows Defender.

Technical Details of the Compromise

The security breach appears to have occurred between April 9 and April 10. Preliminary investigations suggest that the attackers gained access by compromising a secondary feature, specifically a side API, which allowed them to hijack the download paths for the software.

While the official product page for HWMonitor continued to list version 1.63 as the current release, the delivery mechanism was fragmented. The setup version directed users to a separate CPUID download page before routing the final download through download.cpuid.com, while the ZIP version linked directly to a Cloudflare R2 domain. This inconsistency provided the window for the delivery of the fraudulent HWiNFO-branded installer.

Institutional Response

Following the surge of reports regarding the infected downloads, the CPUID website was taken offline. The incident is being characterized as a software supply-chain attack, where trusted distribution channels were used to deliver malicious payloads to an unsuspecting user base.

This event follows previous security disclosures regarding CPUID software, including a fixed DLL hijacking vulnerability in CPU-Z version 2.19 and a kernel driver information disclosure vulnerability (CVE-2025-65264) affecting version 2.17 and older. However, the current incident represents a direct compromise of the website’s infrastructure rather than a vulnerability within the software code itself.

Investigations into the full extent of the breach and the nature of the delivered malware remain ongoing.