Cybersecurity researchers have uncovered a sophisticated malvertising campaign that abuses Google Ads to deliver malware disguised as legitimate software downloads, particularly targeting IT and software development firms across Western Europe.

Unlike typical malvertising tactics, this campaign introduces a unique twist: embedding a GitHub commit into manipulated URLs that redirect unsuspecting users to attacker-controlled infrastructure.

“Even when a link appears to lead to a trusted platform like GitHub, attackers can manipulate the underlying URL to send victims to a counterfeit site,” explained Arctic Wolf in a report released last week.

Malicious GitHub Commits and Fake Domains

Since at least December 2024, the attackers have lured users searching for tools like GitHub Desktop to a fraudulent domain (gitpage[.]app) hosting malicious downloads.

The initial payload is a bloated 128 MB Microsoft Software Installer (MSI) file. Its oversized nature allows it to bypass many online sandbox environments. Once executed, the malware deploys a GPU-gated decryption technique—codenamed GPUGate—which ensures the payload remains encrypted unless the infected system has a legitimate graphics processing unit.

This method helps the attackers evade detection in virtual machines, sandboxes, and outdated research environments, which often lack proper GPU drivers.

Advanced Evasion Techniques

The executable uses GPU functions to generate decryption keys, verifying the GPU device name in the process. If GPU functions are unavailable or the device name is shorter than 10 characters, execution is immediately halted.

To further complicate analysis, the MSI file is padded with garbage data. Once running, the malware executes a Visual Basic Script, which triggers a PowerShell script with administrator privileges. This script:

• Creates exclusions in Microsoft Defender
• Establishes scheduled tasks for persistence
• Extracts and runs executables from a malicious ZIP archive

The ultimate objective is to steal information and deploy secondary payloads while staying undetected.

Notably, Russian-language comments in the PowerShell script suggest the operators have native Russian proficiency.

Cross-Platform Capabilities

Further investigation revealed the threat actor’s domain is also linked to the Atomic macOS Stealer (AMOS), pointing to a cross-platform strategy aimed at both Windows and macOS users.

“By abusing GitHub’s commit structure and leveraging Google Ads, these actors can convincingly mimic legitimate repositories and redirect users to malicious downloads—bypassing user scrutiny and traditional endpoint defenses,” Arctic Wolf warned.

Related Threats: ScreenConnect Campaign Evolution

The GPUGate findings come as Acronis detailed new tactics in an ongoing trojanized ConnectWise ScreenConnect campaign. This operation has been active since March 2025, delivering malware such as AsyncRAT, PureHVNC RAT, and a custom PowerShell-based RAT to U.S. organizations through social engineering.

The custom PowerShell RAT enables basic capabilities like executing programs, downloading additional files, and maintaining persistence. According to researchers, attackers now employ a ClickOnce runner installer for ScreenConnect that downloads malicious components at runtime, making static detection methods less effective and complicating defensive efforts.

👉 This campaign highlights the growing sophistication of malvertising attacks and the need for organizations to strengthen defenses against supply chain risks, third-party integrations, and novel evasion techniques.

Source: https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html