A new malware operation, dubbed GPUGate, is using malicious Google Ads and counterfeit GitHub commit pages to target IT and software development companies in Western Europe. The campaign directs users searching for tools like GitHub Desktop to attacker-controlled lookalike domains through manipulated URLs that appear legitimate. A heavily bloated MSI installer serves as the first-stage payload, deliberately sized at 128 MB to evade analysis in security sandboxes.
The malware employs a unique GPU-gated decryption method; it only decrypts its payload on systems with a real GPU and proper drivers, effectively bypassing virtual machines and research environments. If executed, it runs a series of scripts that gain administrative privileges, add Microsoft Defender exclusions, and establish persistence. The final payload is designed to steal information and deploy additional malware.
Evidence within the code, such as Russian language comments, suggests the threat actors are native Russian speakers. The infrastructure has also been used to distribute Atomic macOS Stealer, indicating a cross-platform threat. This campaign highlights how malvertising can be combined with advanced evasion techniques to bypass both user vigilance and automated defenses.
Read more...