CPU-Z Download Hijacked: SentinelOne AI Blocks 19-Hour Supply Chain Attack

Attack Unfolds

On April 9, 2026, the official CPUID website (cpuid.com) began serving malware through its own download button. Threat actors compromised the domain at the API level, silently redirecting legitimate download requests to attacker-controlled servers. The attack persisted for approximately 19 hours before being neutralized.

Users who visited the official site directly received a properly signed binary with a malicious payload concealed inside. The binary appeared authentic, with a valid digital signature, and arrived from the vendor's own infrastructure. Yet within seconds of execution, SentinelOne's AI-driven EDR flagged the threat.

Signs of Compromise

The SentinelOne agent detected the alert "Penetration framework or shellcode was detected" almost immediately. The detection stemmed from five specific behavioral indicators converging:

• Anomalous API resolution: The process located system functions through non-standard discovery methods, bypassing the OS loader.
• Reflective code loading: Executable code ran in memory regions with no corresponding file on disk.
• Suspicious memory allocation: Read-Write-Execute (RWX) permissions were requested, a staging pattern for malicious payloads.
• Process injection patterns: Execution flow suggested code was being redirected into a secondary process to mask its origin.
• Heuristic shellcode signatures: Sequential operations characteristic of exploitation toolkits preparing an environment for command execution.

The agent autonomously terminated and quarantined the involved processes before the attack could advance further. The malicious CRYPTBASE.dll, placed in the trusted execution path, was blocked.

Background

CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor are staples in IT toolkits worldwide. Users who downloaded them followed every security instruction they had been given. The trust chain broke above them—at the supplier’s own distribution infrastructure.

SentinelOne’s Annual Threat Report identifies this exact pattern as a systemic shift: "This extends deeply into the software supply chain, where the identity of a trusted developer becomes the vector of attack." In late 2025, the GhostAction campaign saw a compromised GitHub maintainer account push malicious workflows to extract secrets. A concurrent phishing attack against a maintainer of popular NPM packages deployed code capable of intercepting cryptocurrency transactions. In each case, commit logs appeared legitimate because they originated from accounts with valid write access. The identity was verified; the intent had been subverted.

The CPUID incident extends this pattern to software distribution itself. The supplier’s download infrastructure became the delivery channel for malware.

What This Means

This attack proves that traditional, signature-based defenses are insufficient. Attackers now compromise the trust chain at its root—by targeting the software vendor’s infrastructure or developer accounts. Users who verify downloads by checking signatures or downloading from official sites can still be infected.

Behavioral detection, as demonstrated by SentinelOne’s AI EDR, is essential. It analyzes what processes do, not just what they are. "The next attack will work the same way," a SentinelOne spokesperson warned. "Organizations must invest in autonomous endpoint protection that can spot anomalies without relying on known indicators of compromise."

For IT teams, the takeaway is clear: verify trust continuously, and deploy AI-driven defenses that can detect secondary attacks like this watering hole—where even legitimate software becomes a vector.