GPUGate: The Supply Chain Attack That Hides Malware in Plain Sight

Researchers at Arctic Wolf have reported a new campaign, dubbed GPUGate, in which adversaries exploit Google Ads and fraudulent GitHub commits to distribute malware targeting IT firms and developers across Western Europe. Active since at least December 2024, the operation masquerades as downloads of GitHub Desktop, but the links instead redirect to the counterfeit domain gitpage[.]app, where a trojanized installer awaits.

The initial stage begins with the download of a 128 MB MSI installer, a size deliberately chosen to evade many online sandboxing systems. The payload remains encrypted until it detects a fully functional GPU, making GPU-dependent decryption the campaign’s hallmark technique. If no drivers are present or a virtual environment is detected, execution halts immediately. To further frustrate analysis, the file is padded with extensive “junk” data.

Once launched, the malware executes a chain of scripts: VBScript triggers PowerShell, which escalates privileges, disables Microsoft Defender checks for its own components, creates scheduled tasks for persistence, and unpacks an archive containing the primary executables. Subsequent stages focus on data theft and the deployment of additional malicious modules.

Investigators also discovered that the attackers’ infrastructure was used to host the Atomic macOS Stealer (AMOS), suggesting a deliberate cross-platform strategy aimed at both Windows and Apple devices. Particularly notable is the manipulation of GitHub commit structures to disguise malicious links—URLs may appear legitimate but covertly redirect users to spoofed pages, bypassing both user scrutiny and automated defenses.

In parallel, experts at Acronis disclosed details of another campaign involving the compromise of ConnectWise ScreenConnect. In these attacks, adversaries deploy a trio of threats—AsyncRAT, PureHVNC RAT, and a custom PowerShell trojan. The latter is capable of launching applications, fetching and executing payloads, and maintaining persistence. Distribution is achieved via a ClickOnce installer of ScreenConnect, which contains no embedded configuration and loads its components dynamically, significantly complicating both static analysis and detection.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy