A sophisticated malware campaign, dubbed “GPUGate,” abuses Google Ads and GitHub’s repository structure to trick users into downloading malicious software.
The Arctic Wolf Cybersecurity Operations Center, the attack chain uses a novel technique to evade security analysis by leveraging a computer’s Graphics Processing Unit (GPU).
The campaign appears to be the work of a Russian-speaking threat actor and is actively targeting IT professionals in Western Europe.
The attack begins with malicious advertising, where attackers place a sponsored ad at the top of Google search results for terms like “GitHub Desktop.” This ad directs users to what appears to be a legitimate GitHub page.
In reality, the link leads to a specific, manipulated “commit” page within a repository. This page looks authentic, retaining the repository’s name and metadata, but contains altered download links that point to an attacker-controlled domain.
This “trust bridge” exploits the user’s confidence in both Google and GitHub to deliver the malicious payload.
What makes GPUGate particularly notable is its unique evasion method. The initial installer is a large 128 MB file, designed to bypass security sandboxes that often have file size limits.
Its most innovative feature is a GPU-gated decryption routine. The malware will only decrypt its malicious payload if it detects a real, physical GPU with a device name longer than ten characters, Arctic Wolf said.
This is a deliberate tactic to thwart analysis, as the virtual machines and sandboxes used by security researchers often have generic, short GPU names or no GPU at all. On such systems, the payload remains encrypted and inert.
The primary goal of this campaign is to gain initial access to organizational networks for malicious activities, including credential theft, data exfiltration, and ransomware deployment.
By targeting developers and IT workers, individuals likely to seek tools like GitHub Desktop, the attackers aim for victims with elevated network privileges.
Once executed, the malware uses a PowerShell script to gain administrative rights, create scheduled tasks for persistence, and add exclusions to Windows Defender to avoid detection. The campaign has been active since at least December 2024 and represents an evolving and significant threat.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
