CPUID Supply Chain Compromised: Watering Hole Attack Silently Served Malware Through Official Downloads for 19 Hours

On April 9, 2026, cpuid.com—the official distribution site for widely-used system utilities including CPU-Z, HWMonitor, and PerfMonitor—was actively serving malware through its own legitimate download button. Threat actors had compromised the CPUID domain at the API level, silently redirecting download requests to attacker-controlled infrastructure while the attack remained undetected for approximately 19 hours. Users who navigated directly to the official site received binaries that were genuine, properly signed, and bundled with a malicious payload—breaking the trust chain at its source.

The breach was detected not by signature-based tools, but by SentinelOne's behavioral AI, which flagged an anomaly inside cpuz_x64.exe. The binary itself was authentic. The digital signature was valid. The download originated from the vendor's own infrastructure. What triggered the alert was the process chain: cpuz_x64.exe spawned PowerShell, which launched csc.exe, which then executed cvtres.exe—a behavioral pattern entirely inconsistent with CPU-Z's normal operation. This is the signature of a supply chain compromise where the malware lives inside trusted software.

CPU-Z and related utilities are staples in IT toolkits worldwide, making this watering hole attack particularly concerning for enterprise environments. The users who downloaded these tools followed every recommended security practice—they visited the official site, used the official download button, and received properly signed binaries. The compromise occurred upstream, at the API layer, exploiting the inherent trust in vendor-controlled distribution channels. The incident underscores a growing reality: software supply chain attacks are increasingly targeting the distribution layer itself, where traditional security controls offer little visibility. For organizations relying on endpoint detection, behavioral analysis proved to be the only line of defense against a threat that passed every conventional checkpoint.