Attackers gained access to a CPUID side API and altered official download links to serve a trojanized HWiNFO installer in place of the legitimate CPU-Z and HWMonitor binaries, exposing millions of users who downloaded from the site. The malicious HWiNFO_Monitor_Setup uses a Russian Inno Setup wrapper and a multi-stage, mostly in-memory loader that employs advanced evasion TTPs; CPUID says the side API was compromised for about six hours on April 9–10 and has been fixed. #CPUID #CPUZ #HWMonitor #HWiNFO #Tedy #Artemis #FileZilla
Keypoints
- CPUID’s download chain was compromised, redirecting official downloads for CPU-Z and HWMonitor to malicious files.
- The trojanized file is named HWiNFO_Monitor_Setup and launches a suspicious Russian Inno Setup installer.
- Researchers observed a multi-stage, largely in-memory loader that uses NTDLL proxying from a .NET assembly to evade EDR/AV.
- The compromise appears to have lasted roughly six hours between April 9 and April 10 and may be linked to a group targeting popular utilities like FileZilla.
- CPUID says original signed binaries were not altered, distribution links were poisoned, and the issue has been fixed while investigations continue.