GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes

GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes

Summary

In August 2025, a new malware campaign named GPUGate emerged, targeting technology and software development industries across Western Europe and EU member countries. The attack exploits the trust in GitHub repositories and Google Ads, tricking IT professionals into downloading a malicious GitHub Desktop installer lookalike.

What makes GPUGate unique is its GPU-gated decryption routine, activating only on systems with real GPUs and bypassing sandboxes or virtual machines. Once executed, GPUGate disables defenses, steals credentials, exfiltrates sensitive files, and lays the groundwork for ransomware deployment. This hardware-aware design, combined with malvertising, GitHub abuse, and geofencing, demonstrates a highly selective and sophisticated malware operation.

Attack Details

• Initial Infection: Attackers planted malicious Google Ads at the top of search results, redirecting users to fake domains disguised as legitimate GitHub pages.

• GitHub Abuse: Malicious links were embedded into README commits of real GitHub repositories, creating convincing but fraudulent download paths.

• Installer Deception: The fake installer, built on .NET Framework, mirrored the size of the legitimate GitHub Desktop installer. It contained hundreds of junk and decoy files to evade analysis, including a hidden 60+ MB .NET module resembling ransomware code.

• GPU-Gated Execution: The malware checked GPU device name length and driver functionality before decrypting its payload. Only systems with proper GPUs unlocked the second-stage decryption using AES-CBC encryption keys derived from GPU computations.

• Post-Execution Activity: GPUGate used PowerShell scripts to secure persistence, disable Windows Defender, and download additional payloads. It harvested credentials, accessed local files, and staged ransomware deployment.

• Infrastructure Links: Campaign infrastructure overlaps with Atomic Stealer, an infostealer used in European campaigns targeting IT professionals.

Recommendations

• Avoid Sponsored Ads: Do not download software via Google Ads. Manually type official domains or use GitHub’s Releases section.

• Verify GitHub Sources: Check links in repositories carefully; avoid downloading from commits or README files with embedded URLs.

• Deploy Layered Security: Update antivirus, EDR, and NGAV solutions. Use DNS filtering and browser protections to block phishing and malvertising sites.

• Strengthen Endpoint Monitoring: Implement behavioral analysis and ML-based security to detect unusual PowerShell execution, sideloaded files, or GPU-specific decryption attempts.

Indicators of Compromise (IoCs)

Domains

• gitpage[.]app

• fileisuwaiquw[.]icu

• poiwerpolymersinc[.]online

• git-freqtrade[.]com

• sleeposeirer[.]online

• chrome[.]browsers.it[.]com

• downloadingpage[.]my

• feelsifuyerza[.]com

• gfweoweiou[.]online

• polisywerqwe[.]xyz

• largetheory[.]com

• snapama[.]com

• hoohle[.]xyz

• ityreerrec[.]xyz

• 21ow[.]icu

• slepseetwork[.]online

• polwique[.]blog

• git-desktop[.]app

URLs

• hxxps[:]//gitpage[.]app/git/mac

• hxxps[:]//kololjrdtgted[.]click/zip.php

IPv4 Addresses

• 107[.]189[.]17[.]89

• 107[.]189[.]16[.]41

• 107[.]189[.]25[.]128

• 107[.]189[.]20[.]254

• 107[.]189[.]24[.]117

• 107[.]189[.]19[.]18

• 104[.]194[.]134[.]4

• 107[.]189[.]15[.]205

• 107[.]189[.]18[.]154

• 107[.]189[.]26[.]46

• 107[.]189[.]27[.]207

• 172[.]86[.]81[.]100

• 104[.]194[.]132[.]28

• 107[.]189[.]18[.]24

• 45[.]59[.]125[.]245

• 45[.]59[.]124[.]94

• 45[.]59[.]125[.]184

• 45[.]59[.]125[.]141

SHA256 Hashes

• ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e

• e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b

• 3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4

• b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470

MITRE ATT&CK TTPs

• Initial Access: T1566 (Phishing), T1566.002 (Spearphishing Link), T1189 (Drive-by Compromise)

• Execution: T1059 (Command & Scripting Interpreter), T1059.001 (PowerShell), T1059.005 (Visual Basic)

• Persistence: T1053.005 (Scheduled Task), T1547.009 (Shortcut Modification)

• Privilege Escalation: T1548.002 (Bypass UAC), T1574.001 (DLL Hijacking)

• Defense Evasion: T1036.004 (Masquerade Task/Service), T1027.002 (Software Packing), T1140 (Deobfuscate/Decode)

• Credential Access: T1555.003 (Credentials from Web Browsers), T1552.001 (Credentials in Files)

• Discovery: T1518.001 (Security Software Discovery), T1083 (File/Directory Discovery)

• Collection: T1115 (Clipboard Data), T1005 (Data from Local System)

• Exfiltration: T1041 (Exfiltration over C2 Channel), T1020 (Automated Exfiltration)

• Command & Control: T1071.001 (Web Protocols), T1573.002 (Asymmetric Cryptography), T1102.001 (Dead Drop Resolver)

• Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1497 (Sandbox Evasion)

References

• Arctic Wolf – GPUGate Malware Campaign