Full Report
On April 9, 2026, cpuid.com was actively serving malware through its own official download button. Threat actors had compromised the CPUID domain at the API level and were silently redirecting legitimate download requests to attacker-controlled infrastructure. The attack ran for approximately 19 hours. Users who navigated directly to the official site received a legitimate, properly […]
Analysis Summary
# Incident Report: CPUID.com Software Supply Chain Compromise
## Executive Summary
On April 9, 2026, the official website for CPU-Z (cpuid[.]com) was compromised at the API level, resulting in a software supply chain attack. Threat actors redirected legitimate download requests to attacker-controlled infrastructure to distribute malware. The incident lasted approximately 19 hours before remediation, affecting users who attempted to download the utility via the site's official "download" buttons.
## Incident Details
- **Discovery Date:** April 9, 2026
- **Incident Date:** April 9, 2026
- **Affected Organization:** CPUID (Software developer of CPU-Z)
- **Sector:** Information Technology / Software Utilities
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 9, 2026 (Duration: ~19 hours)
- **Vector:** API-level compromise of the CPUID domain.
- **Details:** Attackers gained unauthorized access to the domain’s backend configuration or API, allowing them to modify the destination of download requests without altering the physical files hosted on the server.
### Lateral Movement
- **Details:** While the article focuses on the external watering hole aspect, the attackers moved between the domain management/API layer to point traffic toward a malicious delivery infrastructure.
### Data Exfiltration/Impact
- **Impact:** Legitimate users were served a malicious installer instead of the authentic CPU-Z utility. This enabled attackers to deploy arbitrary malware onto the systems of technicians, gamers, and IT professionals who trust the tool.
### Detection & Response
- **Detection:** The attack was identified by automated security platforms (specifically SentinelOne) which recognized the redirected download behavior and blocked the execution of the malicious payloads on endpoint systems.
- **Response Actions:** CPUID regained control of the API/domain settings and restored legitimate download paths.
## Attack Methodology
- **Initial Access:** API/Domain account takeover.
- **Persistence:** Redirection of legitimate web traffic via direct manipulation of site routing.
- **Defense Evasion:** Use of a "Watering Hole" technique; the site appeared legitimate, and the download button was the official one, making it nearly impossible for a manual user to detect the shift.
- **Discovery:** Redirection was silent and targeted users specifically seeking the software.
- **Impact:** Software supply chain compromise (Watering Hole Attack).
## Impact Assessment
- **Financial:** Unknown; potential loss of ad revenue and developer resources for remediation.
- **Data Breach:** Malware deployment; potential for credential theft or secondary infections on victim machines.
- **Operational:** Official download services were compromised for 19 hours.
- **Reputational:** High; CPUID is a trusted name in low-level system utilities; a 19-hour window of serving malware impacts long-term user trust.
## Indicators of Compromise
- **Network indicators:**
- Unauthorized redirects from `hxxps://www.cpuid[.]com` to attacker-controlled subdomains or external IPs.
- **Behavioral indicators:**
- Official download buttons initiating connections to non-standard or recently registered domains.
- Post-install behavior of CPU-Z installer exhibiting unauthorized script execution (PowerShell/CMD).
## Response Actions
- **Containment:** Rapid identification by third-party EDR tools to block local execution.
- **Eradication:** CPUID corrected the API compromise and purged the malicious redirection instructions.
- **Recovery:** Restoration of legitimate file links and public notification of the incident.
## Lessons Learned
- **API Security is Critical:** Domain-level APIs are high-value targets; compromise here can bypass standard file integrity monitoring if the file on the server remains "clean" but the *link* is changed.
- **Third-Party Trust:** Even "official" sources can be compromised; EDR and behavioral analysis remain the last line of defense when "trusted" installers turn malicious.
## Recommendations
- **Multi-Factor Authentication (MFA):** Enforce strict MFA on all domain registrar and API management accounts.
- **Subresource Integrity (SRI) & Content Security Policy (CSP):** Implement strict CSPs to prevent unauthorized external redirects or script loading.
- **Continuous Monitoring:** Implement real-time monitoring for changes in domain records or API configurations.
- **Digital Signatures:** Ensure all hosted binaries are digitally signed and instruct users to verify signatures before execution.