A sophisticated malware campaign, dubbed \u201cGPUGate,\u201d abuses Google Ads and GitHub\u2019s repository structure to trick users into downloading malicious software.<\/p>\n
The Arctic Wolf Cybersecurity Operations Center, the attack chain uses a novel technique to evade security analysis by leveraging a computer\u2019s Graphics Processing Unit (GPU).<\/p>\n
The campaign appears to be the work of a Russian-speaking threat actor and is actively targeting IT professionals in Western Europe.<\/p>\n
The attack begins with malicious advertising, where attackers place a sponsored ad at the top of Google search results for terms like \u201cGitHub Desktop.\u201d This ad directs users to what appears to be a legitimate GitHub page.<\/p>\n
![\"Google](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiFLIYrfkvfKwd0jSPzn9IJaTv9LUsVxJlLMUJB3dvMldoGODDG79YCv3m-xTc-ZsVG7ChVRJVGez0RvbNmS758HpxmGy5koPkGqVp33-HW0MZCXhNPtu5x5I7DNTha7atsXOjTvxEERg3Cu2Z8jO4MJsBsxo2lD6DE4MjeszV0RD2pCj_4vVkhOXdzBIyK\/w640-h614\/gpugate-fig01-1024x981.webp?resize=1024%2C981&ssl=1\")
In reality, the link leads to a specific, manipulated \u201ccommit\u201d page within a repository. This page looks authentic, retaining the repository\u2019s name and metadata, but contains altered download links that point to an attacker-controlled domain.<\/p>\n
This \u201ctrust bridge\u201d exploits the user\u2019s confidence in both Google and GitHub to deliver the malicious payload.<\/p>\n
What makes GPUGate particularly notable is its unique evasion method. The initial installer is a large 128 MB file, designed to bypass security sandboxes<\/a> that often have file size limits.<\/p>\n Its most innovative feature is a GPU-gated decryption routine. The malware will only decrypt its malicious payload if it detects a real, physical GPU with a device name longer than ten characters, Arctic Wolf said<\/a>.<\/p>\n This is a deliberate tactic to thwart analysis, as the virtual machines and sandboxes used by security researchers often have generic, short GPU names or no GPU at all. On such systems, the payload remains encrypted and inert.<\/p>\n The primary goal of this campaign is to gain initial access to organizational networks for malicious activities, including credential theft<\/a>, data exfiltration, and ransomware deployment.<\/p>\n By targeting developers and IT workers, individuals likely to seek tools like GitHub Desktop, the attackers aim for victims with elevated network privileges.<\/p>\n Once executed, the malware uses a PowerShell script<\/a> to gain administrative rights, create scheduled tasks for persistence, and add exclusions to Windows Defender to avoid detection. The campaign has been active since at least December 2024 and represents an evolving and significant threat.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post \u201cGPUGate\u201d Malware Abuses Google Ads and GitHub to Deliver Advanced Malware Payload<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"weaponized](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjUFE7oi7cfstODD6nhyV5Mf89m-mLCETlOVjTPCDk9fKormVBZArtTqHIL8xg2J2VcLTv19Jp1OkdkfsMW4U-woegOCrDZI3nyIGkosZgF4hREHLL2Drp7QjvAyRroCIxfJejcRjhwxUzWCDiNUcEObZdl9uHgnM8xx59X7u1FWiWhl339DLcTGHMrNy5i\/w640-h556\/gpugate-fig03.webp?ssl=1\")