CPUID Hit by Supply Chain Attack, Malware Disguised as System Tools

Cyber Threat Intelligence has reported a concerning supply chain attack targeting the CPUID project. Attackers reportedly compromised an API for the CPUID project, leading to malicious executables being distributed through the official website for popular system utilities like CPU-Z and HWMonitor. This tactic leverages the trust users place in these tools, which are widely used for hardware diagnostics and system specifications.

Users began noticing anomalies after downloading these tools, reporting that the official download links were directing to Cloudflare R2 storage, serving a trojanized version of HWiNFO, another monitoring utility. The malicious installer, named ‘HWiNFO_Monitor_Setup’, was observed using an Inno Setup wrapper, which is considered unusual and suspicious for legitimate software. While direct download URLs for clean versions of the original tools might still be intact, the primary distribution channels appear to have been poisoned.

Further analysis by Igor’s Labs and @vxunderground suggests a sophisticated loader employing advanced techniques to evade detection. This malware is described as deeply trojanized, operating almost entirely in memory, and utilizing methods like proxying NTDLL functionality from a .NET assembly to bypass EDR and AV solutions. Cyber Threat Intelligence notes that this threat group may have previously targeted FileZilla users as well.