GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe

Sept. 8, 2025, 10:20 a.m.

Description

A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB MSI file, contains over 100 dummy executables and employs OpenCL for hardware-specific decryption, ensuring execution only on systems with real GPUs. The campaign aims to gain initial access for credential theft and potential ransomware deployment. It demonstrates native Russian language proficiency and deep anti-analysis knowledge. The attackers' selective approach and GPU-based evasion technique present significant challenges for traditional malware analysis methods.

External References

https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/
https://otx.alienvault.com/pulse/68bea34dbeedfdb8c3139638
Tags
malvertising
anti-analysis
amos stealer
2025-09-08
gpugate
gpu-gated decryption
opencl
western europe

Date

  • Created: Sept. 8, 2025, 9:35 a.m.
  • Published: Sept. 8, 2025, 9:35 a.m.
  • Modified: Sept. 8, 2025, 10:20 a.m.

Indicators

  • fc160cb764c8458bb97f587da4023ac790244ecf2f7b7544d611d4b245be451c
  • e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b
  • d6a8b4fa2bb30a1a7313a9e510b2bac2ff3d4014da8b62f6133fdf91442e4de0
  • b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470
  • 3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4
  • ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e
  • 45.59.125.184
  • 45.59.124.94
  • 107.189.27.207
  • 107.189.24.117
  • 107.189.26.46
  • 107.189.20.254
  • 107.189.18.24
  • 107.189.17.89
  • 107.189.16.41
  • 104.194.134.4
  • 107.189.15.205
  • 45.59.125.245
  • 45.59.125.141
  • 107.189.25.128
  • 172.86.81.100
  • 107.189.19.18
  • 107.189.18.154
  • 104.194.132.28
  • http://kololjrdtgted.click/zip.php.
  • https://kololjrdtgted.click/zip.php
  • snapama.com
  • sleeposeirer.online
  • polwique.blog
  • polisywerqwe.xyz
  • poiwerpolymersinc.online
  • largetheory.com
  • kololjrdtgted.click
  • ityreerrec.xyz
  • git-freqtrade.com
  • gfweoweiou.online
  • hoohle.xyz
  • fileisuwaiquw.icu
  • feelsifuyerza.com
  • downloadingpage.my
  • 21ow.icu
  • slepseetwork.online
Download all indicators here!

Attack Patterns

  • GPUGate
  • AMOS Stealer

Additional Informations

  • Technology

Linked vulnerabilities

CVE-2025-20265

10.0
    Cisco
  • Firewall Management Center
Published: August 14, 2025

CVE-2025-7775

9.2
    Citrix
  • Netscaler Application Delivery Controller
  • Netscaler Gateway
Published: August 26, 2025