Sometimes it’s the most unassuming tools that you’d least expect to be involved in a security incident. A hardware monitor is supposed to read temperatures, display voltages, and—ideally—just stay out of the way. But when an installer with an unfamiliar name, Russian dialog text, and a malware warning suddenly pops up in the update or download path, a mundane routine quickly turns into an incident. This is exactly what is unfolding on April 10, 2026, in the context of CPUID and HWMonitor. But we need to sort this out properly, because there is a difference between “highly suspicious” and “forensically proven hacked” that should not be brushed aside.
Officially, here’s what we know so far: On the CPUID website, HWMonitor 1.63 is listed as the current version for Windows x86/x64, with an entry dated April 3, 2026. The official product page does not display an unusual filename, but rather the standard download path for the setup version, while the ZIP version links directly to a Cloudflare R2 domain. Clicking the setup link takes you to a separate CPUID download page, which explicitly states that the file “hwmonitor_1.63.exe” is ready and that the actual download will then take place via download.cpuid.com. This setup is interesting in itself because it does not consist of a single, consistently identical download path. At the same time, reports have been circulating in the community since today—primarily on Reddit—stating that users did not receive the expected file hwmonitor_1.63.exe upon download, but rather an installer named HWiNFO_Monitor_Setup.exe. These reports also mention Windows Defender warnings, a Russian-language installer dialog, and an unusual Inno Setup wrapper. This is too consistent to be dismissed as a mere misunderstanding. However, it does not yet constitute complete technical evidence of the exact cause. What has been confirmed, therefore, is an acute security threat in the CPUID download environment, not yet the fully elucidated attack vector.
Compromised download chain at HWiNFO as well?
The most plausible explanation at present is not that HWiNFO was compromised, but rather that a download path within the CPUID environment was manipulated, redirected, or temporarily replaced with a third-party object. This is supported by the contradiction between what the official CPUID pages announce—namely hwmonitor_1.63.exe—and what affected users claim to have actually received, namely HWiNFO_Monitor_Setup.exe. Added to this is the technical asymmetry on the CPUID site itself, as the setup and ZIP files do not run on the same infrastructure. Whether this is due to website manipulation, an issue on the download server, a compromised object in the backend, a redirect, or actually a DNS-related intervention has not yet been conclusively proven publicly. Precisely for this reason, it would be negligent to hastily turn this suspicion into a definitive forensic conclusion. But one must be more cautious.
The choice of name for the reported malicious installer is also noteworthy. “HWiNFO_Monitor_Setup.exe” does not appear to be an accidentally misnamed CPUID package, but rather a lure deliberately designed to cause confusion by mixing two well-known monitoring brands. Unfortunately, such deceptions work precisely because users often rely on habit rather than exact package names when using utility tools. Based on current public information, the malware family has not yet been definitively verified. While community posts mention suspicious additional files and generic detections from multiple scanners, without a published sample analysis by a manufacturer or security firm, this remains circumstantial evidence for now. Certain enough to warrant a warning, but not yet definitive enough for a final taxonomic diagnosis. The official HWiNFO infrastructure currently paints a different picture. The official download page lists version 8.44 as the current stable release, published on March 4, 2026, and offers several mirrors for it. The version history consistently documents this same version. While it is true that HWiNFO was flagged by antivirus detections once before in early 2026, the developer stated that this was a false positive. On January 21, 2026, it was explicitly noted in the HWiNFO forum that Bitdefender had withdrawn the detection after review. This is important because it clarifies the situation: Yes, HWiNFO had AV false positives in 2026, but no, as things stand, this is not the same incident as the current CPUID downloads with the incorrect filename.
Anyone taking a pragmatic view of the matter will therefore arrive at a fairly simple rule of thumb. At the moment, everything points to treating CPUID downloads with particular caution, while there is no comparable evidence of compromise for HWiNFO itself. However, the risk of confusion is real, precisely because the allegedly manipulated installer plays on the name of another well-known monitoring software. This is not a minor technical detail, but exactly the kind of cheap deception that, unfortunately, works alarmingly well in everyday life.
CPUID also has its own security issue to address
The story takes on added urgency because CPUID was already in the spotlight in early 2026 due to a separate vulnerability. The NVD lists an information disclosure vulnerability in the kernel driver of CPU-Z 2.17 and older under CVE-2025-65264. The current CPU-Z page now lists version 2.19, and in the release notes, CPUID explicitly mentions a fixed DLL hijacking vulnerability. This is relevant to the context because it shows that CPUID has recently had to deal with security-related issues anyway. However, it would be wrong to lump these driver and DLL issues together with the allegedly manipulated HWMonitor download. One is a documented product vulnerability; the other is an ongoing incident in the distribution chain.
Why this case fits into a larger trend
Unfortunately, this is no longer an isolated incident. Notepad had to harden its updater in version 8.8.9 in December 2025 after the manufacturer itself reported redirected WinGUp traffic and compromised update files. In early February 2026, the incident was publicly addressed once again as an ongoing security incident. There, too, the actual problem was not a spectacularly defaced homepage, but a compromised chain of trust between the user, the update mechanism, and the download destination. This is precisely why the current CPUID case is so troubling, even if the exact technical cause remains unclear. Trust is being attacked not only through domains but also through routines.
An even more direct comparison is the 7-Zip case from February 2026. In that instance, it was not the genuine project site that was compromised, but a deceptively similar fake domain in circulation that delivered a functional but trojanized installer and exploited systems as residential proxy nodes. Malwarebytes and BleepingComputer described an infrastructure that visually mimics the legitimate installer, keeps it functionally usable, and simultaneously installs hidden malicious components. The lesson here is grim but simple: even if a tool appears to launch normally, that is by no means a green light. In the current CPUID incident, therefore, the relevant question is not merely whether a file launches at all, but whether the package name, download path, signature, hash, and origin all match.
My conclusion on the whole matter is correspondingly sober. As of April 10, 2026, there are sufficient reliable warning signs regarding CPUID to advise against downloads via the official HWMonitor channels for the time being. The public evidence is not yet sufficient to make a definitively substantiated statement such as “cpuid.com has definitely been completely hacked.” As things stand, HWiNFO itself is not under suspicion, even though its name is being misused in the allegedly tampered installer. And that is precisely the real point of this case, which is unfortunately less original than one might hope: attackers don’t need to take over an entire product if all it takes is loosening a few screws at the right point in the download chain. So always stay vigilant!
| Source | Short statement | Verified link |
|---|---|---|
| CPUID / HWMonitor | The official product page has listed HWMonitor 1.63 since April 3, 2026, and displays the current download path as well as the breakdown between Setup and ZIP. | Product page |
| CPUID / HWMonitor Download | The preceding download page explicitly lists the file “hwmonitor_1.63.exe” and then redirects to download.cpuid.com. |
Download Page |
| Reddit / r/pcmasterrace | User report regarding the different installer “HWiNFO_Monitor_Setup.exe,” a Defender warning, and a Russian-language installer dialog in the context of the official CPUID download. | Post |
| HWiNFO | Official download page lists version 8.44 and several mirrors, with no indication of a similar compromise. | Download |
| HWiNFO | Version history confirms 8.44 as the current stable version, released on March 4, 2026. | Version history |
| HWiNFO Forum | Developer note from January 21, 2026 regarding AV false positives, including retraction by Bitdefender. | Forum |
| CPUID / CPU-Z | CPU-Z 2.19 explicitly mentions a fixed DLL hijacking vulnerability in the release notes. | Release Notes |
| NVD / CPUID CPU-Z | CVE-2025-65264 documents a local information disclosure vulnerability in the CPU-Z kernel driver up to version 2.17. | Entry |
| Notepad | Version 8.8.9 describes redirected WinGUp traffic and compromised update files; in addition, signature and certificate verification has been tightened. | Report |
| Malwarebytes / 7-Zip | Analysis of a fake 7-Zip page that delivered a trojanized installer along with proxyware. | Analysis |
| BleepingComputer / 7-Zip | Additional context regarding the fake 7-Zip case and the use of infected systems as residential proxy nodes. | Report |
