GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe
Essential information
- Published
- 08/09/2025 09:35
- Modified
- 08/09/2025 10:20
- Tags
- 2025-09-08 amos stealer anti-analysis gpu-gated decryption gpugate malvertising opencl western europe
- Related entities
- 2 vulnerabilities (cve), 42 observables, 11 techniques (mitre), 2 malware, 1 others
Description
A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB MSI file, contains over 100 dummy executables and employs OpenCL for hardware-specific decryption, ensuring execution only on systems with real GPUs. The campaign aims to gain initial access for credential theft and potential ransomware deployment. It demonstrates native Russian language proficiency and deep anti-analysis knowledge. The attackers' selective approach and GPU-based evasion technique present significant challenges for traditional malware analysis methods.