Cybersecurity researchers at Arctic Wolf have spotted a new sophisticated malware campaign that leverages Google Ads, GitHub infrastructure, and GPU-based decryption to bypass traditional defenses. The attack technique has been dubbed “GPUGate.”
The threat actors behind GPUGate used malvertising to display fake ads at the top of Google search results, tricking users into downloading what appeared to be GitHub Desktop. Instead of being taken to a legitimate GitHub release, users were redirected via links embedded in a compromised GitHub repository to a malicious domain (gitpage[.]app).
“GitHub’s platform lets anyone view any commit in a repository’s history – a feature that is normally very useful for developers. But it can be abused. By embedding the commit hash into the page’s URL itself, an attacker can display a page that looks identical to the original repository, but contains their own changes. In this case, altered download links in the README file,” the company explained.
The malware is delivered as a bloated 128 MB Microsoft Installer (MSI), mimicking the size of the real GitHub Desktop installer (which is 160 MB) to avoid suspicion. This prevents execution on many online sandboxes, since uploaded file sizes are often limited. The malware contains 171 executable files, with over 100 serving as “garbage files” added to confuse antivirus systems and analysts.
One notable aspect of GPUGate is that the campaign uses a GPU-gated decryption routine. The malware remains encrypted unless it detects a real Graphics Processing Unit (GPU) with a device name of at least ten characters.
Such approach may indicate that the threat actor behind the campaign targets is targeting users with higher-end hardware, likely developers, gamers, or cryptocurrency miners. Arctic Wolf believes the ultimate goal is initial access for credential theft, infostealing, or ransomware deployment.
Analysis of embedded PowerShell scripts revealed comments written in Russian, suggesting that the attackers have native Russian language skills. The campaign primarily targeted IT professionals in Western Europe.
“The threat actor behind this campaign appears to understand very well how malware analysis works. Traditionally, financially motivated malware coders (such as ransomware developers) have tried to make their code as compatible as possible with all available systems/ OSes to maximize infection rates and their subsequent payouts. This malware takes the opposite approach – it deliberately excludes systems that don’t meet very specific hardware requirements,” Arctic Wolf said.