Sep 08, 2025Ravie LakshmananMalvertising / Encryption
Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.
While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.
“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” Arctic Wolf said in a report published last week.
Exclusively targeted IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain (“gitpage[.]app”).
The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate.
“Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” the cybersecurity company said. “The executable […] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this.”
Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available.
The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which, in turn, runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.
The end goal is to facilitate information theft and deliver secondary payloads, while simultaneously evading detection. It’s assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script.
Further analysis of the threat actor’s domain has revealed it to be acting as a staging ground for At…