Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms

The Hacker News by The Hacker News
September 8, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Sep 08, 2025Ravie LakshmananMalvertising / Encryption

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.

While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.

“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” Arctic Wolf said in a report published last week.

Exclusively targeted IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain (“gitpage[.]app”).

Audit and Beyond

The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate.

“Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” the cybersecurity company said. “The executable […] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this.”

Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available.

The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which, in turn, runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.

The end goal is to facilitate information theft and deliver secondary payloads, while simultaneously evading detection. It’s assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script.

Further analysis of the threat actor’s domain has revealed it to be acting as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.

“By exploiting GitHub’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses,” Arctic Wolf.

CIS Build Kits

The disclosure comes as Acronis detailed the ongoing evolution of a trojanized ConnectWise ScreenConnect campaign that uses the remote access software to drop AsyncRAT, PureHVNC RAT, and a custom PowerShell-based remote access trojan (RAT) on infected hosts in social engineering attacks aimed at U.S. organizations since March 2025.

The bespoke PowerShell RAT, executed by means of a JavaScript file downloaded from the cracked ScreenConnect server, provides some basic functionalities such as running programs, downloading and executing files, and a simple persistence mechanism.

“Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and instead fetches components at runtime,” the security vendor said. “This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Наушники с функцией контекстно-зависимого перевода на базе LLM для различения фонетически похожих фраз и датчиком костной проводимости Timekettle W4 AI Interpreter Earbuds дебютируют на IFA 2025

Наушники с функцией контекстно-зависимого перевода на базе LLM для различения фонетически похожих фраз и датчиком костной проводимости Timekettle W4 AI Interpreter Earbuds дебютируют на IFA 2025

Recommended.

DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints

DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints

May 29, 2025
Contractor Commerce brings rebate data to Instant Estimate software

Contractor Commerce brings rebate data to Instant Estimate software

March 23, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio