Threat actors have successfully exploited a design flaw in GitHub’s fork architecture to distribute malware disguised as the legitimate GitHub Desktop installer.
The attack chain begins with a deceptively simple but effective technique. Attackers create throwaway GitHub accounts and fork the official GitHub Desktop repository.
They then modify the download link in the README file to point to their malicious installer and commit the change.
Crucially, the commit hash becomes viewable under the official repository’s namespace appearing as github.com/desktop/desktop/tree/
The attack, which research firm GMO Cybersecurity has been actively tracked since September 2025, leverages a technique called “repo squatting” to make malicious commits appear under official repository namespaces, deceiving users into downloading trojaned software.
This behavior, while intentional and documented in GitHub’s security documentation, creates a significant vulnerability.
Even if the attacker deletes their fork or account, the commit hash persists within the repository network, making cleanup extremely difficult.
GitHub design allows attackers to squat in official repository namespaces and insert malicious content.
To amplify the campaign’s reach, threat actors leveraged sponsored advertisements promoting “GitHub Desktop” on search engines.
The ads linked directly to the malicious commits using README anchors to bypass GitHub’s security warnings, targeting developers actively searching for the legitimate tool.
Multi-Stage Loader Delivering HijackLoader
The malicious installer, GitHubDesktopSetup-x64.exe (SHA256: e252bb114f5c…), is a 127.68 MB single-file .NET application that functions as a sophisticated multi-stage loader.
Analysis reveals similar samples dating back to May 2025, masquerading under other popular application names, including Chrome, Notion, 1Password, and Bitwarden.
The loader employs several evasion techniques. Most notably, it abuses OpenCL (Open Computing Language), a GPU-based API, to hinder dynamic analysis in sandboxes and virtual machines lacking GPU drivers.
The malware implements deliberate code misdirection that complicates static recovery of decryption keys, forcing security researchers onto physical machines with GPUs to complete analysis.
Interestingly, GMO Cybersecurity discovered that the OpenCL implementation contains intentional bugs arguments are passed by value rather than reference, causing kernel execution to fail.
The 8-byte bundle header-offset is set to 0x7FAB159, which confirms this is a single-file application. This bundle header-offset and signature can be combined with other identifiers to hunt for related samples with YARA.
This clever technique generates an all-zero decryption key that derails both dynamic and static analysis approaches, representing an innovative defense mechanism against reverse engineering.
Payload Delivery and Persistence
Once executed, the malware downloads encrypted archives containing legitimate signed binaries (Control-Binary32.exe, Qt5Network.dll, Qt5Core.dll) and malicious payloads.
First, clGetPlatformIDs and clGetDeviceIDs do not return device strings such as GeForce RTX 4090.
The infection leverages DLL sideloading and module stomping techniques, injecting shellcode into vssapi.dll to execute HijackLoader a known loader previously observed deploying LummaC2 stealer and other commodity malware.
Persistence is established through a scheduled task named “WinSvcUpd” that executes whenever users log on.
The PowerShell stager adds Microsoft Defender exclusions for AppData, LocalAppData, and ProgramData directories, allowing subsequent payloads to execute undetected.
The campaign was most active between September and October 2025, though GitHub confirmed awareness of the vulnerability on September 9, 2025.
As of December 29, 2025, the technique remained reproducible. While focused on European users through malvertising, infections also occurred in Japan and other regions.
GMO Cybersecurity recommends downloading installers exclusively from official Releases pages and exercising extreme caution with sponsored search advertisements.
The campaign underscores how developer-targeting attacks leverage trusted platforms to distribute sophisticated malware, highlighting the critical importance of supply chain security in modern threat landscapes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.