GPUGate Malware Exploits Google Ads and Counterfeit GitHub Commits to Target IT Companies
Cybersecurity researchers have uncovered a sophisticated malware campaign that utilises paid advertisements on search engines like Google to deliver malware to unsuspecting users searching for popular tools such as GitHub Desktop. This campaign introduces a novel twist to traditional malvertising by embedding a GitHub commit into a page URL, which contains altered links that redirect to attacker-controlled infrastructure. Even when a link appears to lead to a reputable platform like GitHub, the underlying URL can be manipulated to direct users to counterfeit sites. The campaign has specifically targeted IT and software development companies in Western Europe since at least December 2024, with links in the rogue GitHub commit designed to funnel users to a malicious download hosted on a lookalike domain, “gitpage[.]app.”
The first-stage malware delivered through these poisoned search results is a large 128 MB Microsoft Software Installer (MSI) that evades detection by most existing online security sandboxes due to its size. A Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems lacking a real GPU, a technique referred to as GPUGate. Systems without proper GPU drivers are likely to be virtual machines, sandboxes, or older analysis environments commonly used by security researchers. The malware executes a Visual Basic Script that launches a PowerShell script, which runs with administrator privileges, adds Microsoft Defender exclusions, and sets up scheduled tasks for persistence. The ultimate goal is to facilitate information theft and deliver secondary payloads while evading detection. The threat actors behind this campaign are believed to have native Russian language proficiency, as evidenced by Russian language comments in the PowerShell script. Further analysis indicates that the threat actor’s domain serves as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.
Categories: Malware Campaigns, Cybersecurity Threats, Social Engineering Techniques
Tags: Malware, Malvertising, GitHub, Cybersecurity, Exploitation, Information Theft, PowerShell, Persistence, Cross-Platform, Google Ads