Ethical Hacking News
A sophisticated malware campaign has been discovered that uses paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. The attackers, believed to have native Russian language proficiency, use an innovative tactic of embedding fake GitHub commits in page URLs to funnel victims to malicious downloads.
Cybersecurity researchers have uncovered a sophisticated malware campaign, dubbed GPUGate, that uses paid ads on search engines like Google to deliver malware. The attackers specifically targeted IT and software development companies in Western Europe since at least December 2024. The malware delivers a bloated Microsoft Software Installer (MSI) via poisoned search results, evading most existing online security sandboxes. The attack aims to facilitate information theft and deliver secondary payloads while evading detection.
Cybersecurity researchers have recently uncovered a sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. This malicious activity, dubbed GPUGate, employs an innovative tactic of embedding a fake GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.
The attackers have specifically targeted IT and software development companies within Western Europe since at least December 2024. The links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain ("gitpage[.]app"). This approach not only deceives the end-users but also complicates detection efforts for security researchers.
The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes. The technique has been codenamed GPUGate. The executable uses GPU functions to generate an encryption key for decrypting the payload and checks the GPU device name as it does this. Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use.
Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available. The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which in turn runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.
The end goal is to facilitate information theft and deliver secondary payloads while simultaneously evading detection. It's assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script. Further analysis of the threat actor's domain has revealed it to be acting as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.
By exploiting GitHub's commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses. Arctic Wolf states that "even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site." This report provides valuable insights into the tactics employed by malware actors in their attempts to evade detection and successfully deploy malicious payloads.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Malware-Campaign-Utilizing-Google-Ads-and-Fake-GitHub-Commits-to-Target-IT-Firms-ehn.shtml
https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html
https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/
Published: Mon Sep 8 12:46:12 2025 by llama3.2 3B Q4_K_M
