April 10, 2026
Click here to cry: trusted tools go rogue
CPU-Z and HWMonitor compromised
Trusted PC tools became a trap — users split between panic and memes
TLDR: CPUID’s website briefly served malicious links for CPU‑Z and HWMonitor after a six‑hour backend breach, even though the original files stayed intact. Commenters warn this “hack the link, not the code” tactic is the new threat, sparking confusion over tool names and anxiety about Windows package manager safety.
Reddit lit up after fans of CPU‑Z and HWMonitor realized their trusted downloads were briefly swapped with something nastier. CPUID says a behind‑the‑scenes feature (an API that tells the site which file to serve) was hijacked for about six hours between April 9–10, making the main site randomly show bad links. The actual programs stayed properly signed, but users slammed that as cold comfort: if the link lies, the signature doesn’t save you. Security regulars like kevincloudsec cried “repeat offender,” saying the same crew hit FileZilla and has leveled up from fake sites to making the real site serve the wrong file.
Cue the drama: one installer pointed to a weirdly named file, and analysis says the malware used a fake Windows helper file to sneak in, then lived mostly in memory and went sniffing for browser passwords. Confusion added spice—people kept mixing up HWMonitor with HWiNFO, prompting “name‑check your tools” PSAs. Others worried about the Windows app store alternative, asking if winget downloads were safe. Meanwhile, the meme brigade showed up with ‘90s hacker movie jokes—“Hack the Gibson” energy—because when your favorite utility turns into a booby trap, sometimes all you can do is laugh. CPUID says it’s fixed, but the community’s trust? That’s going to take longer than six hours to patch.
Key Points
- •CPUID’s website was briefly compromised via a secondary API, causing random malicious download links between April 9 and 10.
- •Affected tools included HWMonitor and CPU-Z; users observed antivirus alerts and mismatched installer names.
- •CPUID states its signed original installers and build process were not altered; the breach has been fixed.
- •vx-underground reports the malware targeted 64-bit HWMonitor, used a fake CRYPTBASE.dll, contacted C2, used PowerShell, compiled a .NET payload, and injected into processes.
- •The malware likely sought browser credentials via Chrome’s IElevation COM interface, and infrastructure overlaps suggest ties to earlier campaigns targeting FileZilla users.