CPU-Z Download Portal Compromised: AI-Driven EDR Foils Stealthy Watering Hole Attack in 19-Hour Breach

By • min read

Breaking: Official CPUID Website Served Malware for 19 Hours

On April 9, 2026, the official CPUID website (cpuid.com) was actively distributing malware through its own download button. Threat actors compromised the vendor's API layer, silently redirecting legitimate requests to attacker-controlled servers. The breach lasted approximately 19 hours before being detected and neutralized.

CPU-Z Download Portal Compromised: AI-Driven EDR Foils Stealthy Watering Hole Attack in 19-Hour Breach — Source: www.sentinelone.com

Users who navigated directly to the official site received a properly signed, legitimate-looking binary with a malicious payload bundled inside. The attack targeted users of CPU-Z, HWMonitor, and other popular IT diagnostic tools.

How SentinelOne's AI EDR Detected the Anomaly

SentinelOne's behavioral detection system flagged an anomaly in cpuz_x64.exe within seconds of execution. The binary was genuine, the digital signature valid, and the download originated from the vendor's own infrastructure. However, the process chain revealed the attack: cpuz_x64.exe spawned PowerShell, which spawned csc.exe, which spawned cvtres.exe — a sequence CPU-Z never performs.

CPU-Z does not launch PowerShell or compile code. That behavioral divergence was the tell, said a SentinelOne senior threat researcher. The trust chain broke above the user. They followed every security instruction, but the supplier's domain was already weaponized.

Five Behavioral Indicators Converged

The SentinelOne agent triggered an alert: Penetration framework or shellcode was detected. The detection relied on five specific behavioral indicators:

Anomalous API resolution: The process located system functions through non-standard discovery methods, bypassing the OS loader entirely.
Reflective code loading: Executable code ran in memory regions with no corresponding file on disk.
Suspicious memory allocation: Read-Write-Execute (RWX) memory permissions were requested — a staging pattern for malicious payloads.
Process injection patterns: Execution flow consistent with code being redirected into a secondary process to mask its origin.
Heuristic shellcode signatures: Sequential operations characteristic of automated exploitation toolkits preparing for command execution.

The agent autonomously terminated and quarantined the involved processes before the attack advanced further. The malicious CRYPTBASE.dll placed in the system folder was also identified and removed.

Background: The Shift in Software Supply Chain Attacks

This incident follows a pattern SentinelOne documented in its Annual Threat Report. The report states: This shift extends deeply into the software supply chain, where the identity of a trusted developer becomes the vector of attack.

In late 2025, the GhostAction campaign saw a compromised GitHub maintainer account push malicious workflows to steal secrets. Separately, a phishing attack against a maintainer of popular NPM packages deployed code capable of intercepting cryptocurrency transactions. In every case, commit logs and push events appeared legitimate because they originated from accounts with valid write access. The identity was verified; the intent had been subverted.

The CPUID incident extends this pattern to software distribution: the supplier's download infrastructure became the delivery channel. CPU-Z, HWMonitor, and PerfMonitor are staples in IT toolkits. Users who downloaded them followed every instruction — yet the trust chain broke above them.

What This Means for Cybersecurity

Traditional signature-based defenses would have failed against this attack. The binary was signed, the source was trusted, and the delivery path appeared normal. Behavioral AI and EDR are now essential to detect attacks that exploit legitimate identities and infrastructure.

The next attack will work the same way, warned the researcher. Organizations must assume that any external download, even from a known vendor, could be compromised. Real-time behavioral analysis is the only reliable safety net.

Users are advised to verify binary behavior even when the source appears trustworthy. Enterprise defenders should ensure their EDR tools can detect anomalous process chains like those seen here — where a benign executable suddenly spawns compiler tools and scripting engines.