332/68 Wednesday, September 10, 2025
Cybersecurity researchers have uncovered a new malware campaign called GPUGate, which targets IT and software development companies. The attackers rely on malvertising via Google Ads to trick users searching for popular tools such as GitHub Desktop into downloading malicious files. A key feature of this campaign is the use of fake GitHub commits embedded in URLs, which redirect victims to attacker-controlled domains (e.g., gitpage[.]app). While the links appear legitimate and seem to point to GitHub, they actually lead to spoofed websites that deliver malware.
The GPUGate malware is hidden inside a 128 MB Microsoft Software Installer (MSI) file, intentionally large enough to evade detection by most security sandboxes. It also employs a GPU-gated decryption mechanism, which only decrypts its payload when a real GPU is present, successfully bypassing virtual machines and sandboxes typically used by researchers. Once executed on the victim’s device, the malware launches a PowerShell script with administrator privileges to disable Microsoft Defender, create scheduled tasks, and install additional payloads-while stealing sensitive information.
Analysis by Arctic Wolf revealed traces suggesting that the attackers’ infrastructure was developed by Russian-speaking actors. The infrastructure has also been used to distribute cross-platform malware, such as Atomic macOS Stealer (AMOS). Furthermore, connections were found to other campaigns involving trojanized ConnectWise ScreenConnect used to deploy remote access tools like AsyncRAT and PureHVNC in the United States. This demonstrates how modern threats are increasingly combining multiple evasion techniques and tools to enhance the effectiveness and persistence of attacks.
Source https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html
