Supply Chain Attack Compromises CPUID Site, Delivers Trojanized HWiNFO via CPU‑Z and HWMonitor Downloads
What Happened — Hackers gained unauthorized access to a CPUID API and replaced the official download links for CPU‑Z and HWMonitor with a malicious payload that installs a trojanized version of HWiNFO. The malicious installer runs in‑memory, masquerades as legitimate software, and uses proxy techniques to evade endpoint defenses.
Why It Matters for TPRM —
- A trusted third‑party utility was weaponized, exposing downstream organizations to malware.
- The attack demonstrates how a brief API compromise can poison widely‑used download chains.
- Even short‑lived compromises (≈6 hours) can affect millions of end‑users and downstream supply‑chain partners.
Who Is Affected — Enterprises and individuals across all sectors that download CPU‑Z, HWMonitor, or HWiNFO from the CPUID website; SaaS providers that embed these utilities in internal tooling; MSPs that distribute the tools to client environments.
Recommended Actions —
- Verify that any CPU‑Z, HWMonitor, or HWiNFO binaries in use were obtained from a trusted, post‑patch source.
- Re‑scan affected endpoints for the identified trojan (Tedy/Artemis) and related IOCs.
- Review third‑party download processes and enforce hash‑based verification for all external utilities.
- Engage CPUID for confirmation of remediation timelines and request indicators of compromise.
Technical Notes — The malicious payload was delivered via a compromised Cloudflare R2 storage link, masquerading as a legitimate HWiNFO installer. The installer uses an Inno Setup wrapper, runs almost entirely in memory, and proxies NTDLL calls from a .NET assembly to evade EDR/AV solutions. No legitimate CPUID binaries were altered; only the download redirection was poisoned. Source: BleepingComputer