A malicious software campaign called GPUGate is using Google Ads and GitHub to trick users into downloading malware. The malware uses a unique evasion technique that only allows its malicious code to be decrypted if it detects a real, physical graphics card, which helps it avoid detection in virtual machines and security sandboxes used by researchers.
The GPUGate campaign is actively targeting IT professionals and developers by leveraging a combination of malicious Google Ads and manipulated GitHub repositories. This attack is designed to gain initial access to organizational networks for activities such as credential theft, data exfiltration, and ransomware deployment. The campaign has been ongoing since at least December 2024 and appears to be the work of a Russian-speaking threat actor primarily focusing on targets in Western Europe. The attackers capitalize on user trust in reputable platforms like Google and GitHub to deliver their malicious payload.
The attack chain begins with malicious advertising on Google. The attackers place sponsored ads at the top of search results for popular software, such as “GitHub Desktop.” When a user clicks on one of these ads, they are led to a deceptive page that looks authentic. This page is not a legitimate GitHub page but a specifically manipulated “commit” page within a repository. This page retains the repository’s name and metadata to look convincing but contains altered download links that direct the user to a domain controlled by the attacker. This “trust bridge” exploits the user’s confidence in both Google’s search results and GitHub’s platform to deliver the malicious software.
What makes the GPUGate campaign particularly notable is its innovative evasion method, which involves the user’s graphics processing unit (GPU). The initial installer is a large 128 MB file, specifically designed to bypass security sandboxes that often have file size limits. However, the most unique feature is its GPU-gated decryption routine. The malware will only decrypt and execute its malicious payload if it detects a real, physical GPU with a device name longer than ten characters. This is a clever tactic to thwart analysis, as the virtual machines and sandboxes used by security researchers often have generic, short GPU names or no GPU at all. On such systems, the payload remains encrypted and inert, making it appear benign to automated analysis tools.
The campaign strategically targets developers and IT workers—individuals who are likely to have elevated network privileges and frequently search for tools like GitHub Desktop. Once the malware is executed on a victim’s system, it uses a PowerShell script to escalate privileges and gain administrative rights. To ensure persistence, the script creates scheduled tasks and adds exclusions to Windows Defender, making it more difficult to detect and remove. This final step secures the attacker’s foothold, allowing them to proceed with their malicious objectives.
The GPUGate campaign represents a significant and evolving threat due to its sophisticated evasion techniques and targeted approach. By blending social engineering with technical ingenuity, the attackers have created a highly effective method for breaching organizational defenses. The use of a GPU check is a novel and effective way to bypass traditional security analysis tools, highlighting the constant need for organizations to adapt their cybersecurity strategies to combat new and innovative threats. Organizations should educate their employees about the risks of downloading software from unverified sources, even when they appear to be from trusted platforms.
Reference:
