GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms

Cybersecurity researchers have uncovered a sophisticated malvertising campaign targeting IT and software development firms in Western Europe, using paid Google ads to trick users into downloading malware disguised as legitimate tools like GitHub Desktop. The attackers exploit GitHub’s commit structure by embedding altered links that redirect to a fake domain, “gitpage[.]app.” The first-stage malware, a 128 MB MSI file, uses a GPU-gated decryption technique called GPUGate to evade virtual machine and sandbox analysis. Once executed, it launches scripts that disable Microsoft Defender protections, establish persistence, and deploy additional payloads for information theft. Evidence suggests the attackers are Russian-speaking and also distributing the Atomic macOS Stealer, indicating a cross-platform strategy. The campaign coincides with an evolving U.S.-focused attack using trojanized ConnectWise ScreenConnect software to deliver various remote access trojans, including a custom PowerShell RAT that dynamically fetches components, complicating traditional detection and prevention efforts.