![On April 9, 2026, the website cpuid[.]com, hosting installers for popular system administration software CPU-Z, HWMonitor (HWMonitor Pro) and Perfmonitor 2, was compromised. We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced with URLS to the following malicious websites:](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/10145014/pingpongsuperman_CPU_is_burning_ultra_detailed_sharp_focus_8k_495f9cb6-fa56-4ea8-ad14-88d8c7c8805a_3-gigapixel-redefine-creative-2x-800x450.jpeg){kind=tracking}
![On April 9, 2026, the website cpuid[.]com, hosting installers for popular system administration software CPU-Z, HWMonitor (HWMonitor Pro) and Perfmonitor 2, was compromised. We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced with URLS to the following malicious websites:](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/10145014/pingpongsuperman_CPU_is_burning_ultra_detailed_sharp_focus_8k_495f9cb6-fa56-4ea8-ad14-88d8c7c8805a_3-gigapixel-redefine-creative-2x-1200x600.jpeg){kind=tracking}
Introduction
On April 9, 2026, the website cpuid[.]com, hosting installers for popular system administration software CPU-Z, HWMonitor (HWMonitor Pro) and Perfmonitor 2, was compromised. We observed that starting from approximately April 9, 15:00 UTC, until about April 10, 10:00 UTC, the legitimate download URLs for installers of that software have been replaced with URLS to the following malicious websites:
- cahayailmukreatif.web[.]id;
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev;
- transitopalermo[.]com;
- vatrobran[.]hr.
We provided the complete list of hashes of files that we observed to have been downloaded from these websites, in the IoCs section.
Attack chain
We observed the attackers deploy malicious distributions of various popular system administration software published on the cpuid[.]com website. Below is a list of this software:
- CPU-Z (version 2.19)
- HWMonitor Pro (version 1.57)
- HWMonitor (version 1.63)
- PerfMonitor (version 2.04)
The trojanized software was distributed both as ZIP archives and as standalone installers for aforementioned products. These files contain a legitimate signed executable for the corresponding product and a malicious DLL which is named “CRYPTBASE.dll” to leverage the DLL Sideloading technique.
The malicious DLL is responsible for C2 connection and further payload execution. Prior to this, it also performs a set of anti-sandbox checks and, if all the checks have passed, it connects to the C2 server. The interesting part here is that the attackers reused both the C2 address and the connection configuration from the March 2026 campaign where the attackers hosted a fake FileZilla (an open-source FTP client) site distributing malicious downloads. The configuration embedded in the DLL is presented further. The “referrer” field in the configuration equals “cpz” which tends to be a shorthand for “CPU-Z”.
|
1 2 3 4 5 6 7 |
{ "hello": { "tag":"tbs", "referrer":"cpz", "callback":"hxxps://welcome.supp0v3[.]com/d/callback } } |
This loader also contains a huge array of MAC addresses (represented as strings) that later form the next stage payload by converting hexadecimal symbols in MAC addresses to their byte values. After a set of auxiliary loaders, the execution chain results in a sophisticated RAT.
Copy-pasted malicious implants
The final stage RAT is not new though. The adversary decided to reuse the so-called “STX RAT” reported by Esentire , thus making one more mistake. We noted that the final stage is fully detected by the YARA rules provided in the eSentire article.As can be observed, attackers put an effort to compromise the popular software website, but failed to avoid detection with known indicators of compromise.
Victimology
Based on our telemetry, we have identified more than 150 victims, the majority of whom are individuals. However, several organizations from various sectors, including retail, manufacturing, consulting, telecommunications and agriculture, were also affected with most infections in Brazil, Russia and China.
Recommendations
While the watering hole attack occurred in a short timeframe of less than 24 hours, it is important to check whether your organization may be affected. The best way to do this is examine DNS logs for the malicious websites from which the trojanized installers have been downloaded. It is also paramount to examine filesystems to check for traces of the malicious archives and executable files related to this attack.
Conclusion
Compared to other recently occurred watering hole and supply chain attacks, such as the Notepad++ supply chain attack, the attack on the cpuid.com website was orchestrated quite poorly. The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers. The overall malware development/deployment and operational security capabilities of the threat actor behind this attack is quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it started.
Indicators of Compromise
Hashes of downloaded malicious files
d0568eaa55f495fd756fa205997ae8d93588d2a2 cpu-z_2.19-en.zip
02a53d660332c25af623bbb7df57c2aad1b0b91b hwinfo_monitor_setup.exe
9253111b359c610b5f95ef33c2d1c06795ab01e9 HWMonitorPro_1.57_Setup.exe
2f717a77780b8f6b2d853dc4df5ed2b90a3a349a hwmonitor-pro_1.57.zip
7c615ce495ac5be1b64604a7c145347adbcd900c hwmonitor_1.63.zip
c417c3a4b094646d06a06103639a5c9faabc9ba4 hwmonitor_1.63.zip
8351a43a0c0455e4b0793d841fe12625f072f9b4 PerfMonitor2_Setup.exe
6a71656c289201f742787f48398056fcd2aa7274 perfmonitor-2_2.04.zip
Hashes of malicious DLLs
24bbfcfea0c79f640a4eec99ffdae3ccd315786 CRYPTBASE.dll
c65e515b9c9655c651c939b94574cf39b40a8be2 CRYPTBASE.dll.bin
3041a4e2bc5ccefbfd2222a9e23614fb79d6db63 CRYPTBASE.dll
4e3195399a9135247e55781ad13226c6b0e86c0d CRYPTBASE.dll
4597f546a622ae55e0775cbcc416b3f1dfd096ce CRYPTBASE.dll
a06955d253711385eaa6f5af76fa9fa47bdeb1e9 CRYPTBASE.dll
6b49823483889bc1ad152a1be52d1385c4e0affb CRYPTBASE.dll
3041a4e2bc5ccefbfd2222a9e23614fb79d6db63 CRYPTBASE.dll
c65e515b9c9655c651c939b94574cf39b40a8be2 CRYPTBASE.dll
4f3d8c47239bd1585488ce431d931457f101104c CRYPTBASE.dll
ba19e03ca03785e89010672d7e273ac343e4699a CRYPTBASE.dll
e2464454017cd02a8bc6744596c384cf91cdd67e CRYPTBASE.dll CRYPTBASE.dll
URLs
hxxps://welcome.supp0v3[.]com
hxxps://cahayailmukreatif.web[.]id/sw-content/template/hwmonitor/hwinfo_monitor_setup.exe
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/perfmonitor/perfmonitor-2_2.04.zip
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/perfmonitor/PerfMonitor2_Setup.exe
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor-pro/hwmonitor-pro_1.57.zip
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor_1.63.zip
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor/hwinfo_monitor_setup.exe
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/cpu-z_2.19-en.zip
hxxps://pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev/hwmonitor-pro/hwmonitorpro_1.57_setup.exe
hxxps://transitopalermo[.]com/config/hwmonitor/hwmonitor_1.63.zip
hxxps://transitopalermo[.]com/config/hwmonitor-pro/hwmonitorpro_1.57_setup.exe
hxxps://transitopalermo[.]com/config/hwmonitor/HWiNFO_Monitor_Setup.exe
hxxps://vatrobran[.]hr/en-GB/info/hwmonitor/hwmonitor_1.63.zip
hxxps://vatrobran[.]hr/en-GB/info/cpu-z/cpu-z_2.19-en.zip
hxxps://vatrobran[.]hr/en-gb/info/hwmonitor/hwinfo_monitor_setup.exe
hxxps://vatrobran[.]hr/en-GB/info/hwmonitor-pro/HWMonitorPro_1.57_Setup.exe
CPU-Z / HWMonitor watering hole infection – a copy-pasted attack