Red alert! Here’s what you should do if you downloaded free tools from cpuid.com on 9 or 10 April 2026…

The official website for CPU-Z and HWMonitor — free tools used by tens of millions of PC users worldwide to monitor hardware performance — was compromised on 9 April 2026, silently replacing legitimate software downloads with malware-laced installers for approximately 19 hours. Kaspersky’s Global Research and Analysis Team (GReAT) has analyzed the attack, identified more than 150 confirmed victims across multiple countries, and linked the malware infrastructure to a previous campaign.

CPU-Z and HWMonitor are among the most widely downloaded PC diagnostic tools available, routinely used by hardware enthusiasts, IT administrators and system builders to read processor speeds, temperatures and power consumption. Their popularity makes the compromise window significant: anyone who downloaded the software from cpuid.com between approximately 3 p.m. UTC on April 9 and 10 a.m. UTC on April 10 may have installed a backdoor instead.

CPUID confirmed the compromise and took downloads offline after the attack was discovered. Kaspersky GReAT’s subsequent analysis found the window lasted approximately 19 hours — about three times longer than the six hours CPUID had initially indicated.

Four products were affected: CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57 and PerfMonitor 2.04, distributed both as standalone installers and ZIP archives. Prior public reporting had identified only CPU-Z and HWMonitor as affected.

During the compromise, download links on cpuid.com were replaced with URLs pointing to four attacker-controlled websites. The trojanized packages each bundled a legitimate, signed CPUID executable with a malicious DLL that, once executed, connected to a remote server and ultimately installed STX RAT — a full-featured backdoor capable of stealing data and providing persistent remote access. Kaspersky GReAT confirmed the attackers deployed the backdoor without modification, meaning existing public YARA rules detect it directly.

Community researchers had noted similarities between the attack infrastructure and a March 2026 campaign involving fake FileZilla installers. Kaspersky GReAT’s analysis confirms that connection: the command-and-control server address and the embedded configuration format are identical to those used in the earlier operation documented by Malwarebytes.

A March 2026 Kaspersky study found supply chain attacks were the most common cyberthreat businesses faced over the prior 12 months, yet only 9% of organizations ranked them as a top concern.

“Supply chain and watering hole attacks — where attackers compromise a trusted source rather than targeting victims directly — are considered among the more difficult threats to defend against, because users have no reason to distrust software downloaded from an official website. In this case, however, the attacker’s execution undermined the impact of their access: reusing previously documented infrastructure and an unmodified, publicly known backdoor meant that up-to-date security solutions like Kaspersky Next could detect and block the payload throughout the entire compromise window,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT.

Kaspersky GReAT identified more than 150 victims through its telemetry. The majority are individual users, consistent with the consumer-facing nature of CPUID’s software. Affected organizations span retail, manufacturing, consulting, telecommunications and agriculture. Brazil, Russia and China account for the highest number of confirmed infections.

Kaspersky advises anyone who downloaded software from cpuid.com between 9 April and 10 April 2026 to take the following steps:

• Check network and DNS logs for connections to the four malicious distribution domains identified in the technical report.
• Search filesystems for unsigned instances of CRYPTBASE.dll present alongside CPUID application files.
• Run a full system scan using updated security software.

A complete list of indicators of compromise, including file hashes and malicious URLs, is available in Kaspersky GReAT’s full technical analysis at Securelist.