The More Powerful Your PC, the More Vulnerable You Are. The Paradox of the GPUGate Attack Targeting Gamers and Developers
A simple hardware upgrade could well become a ticket into your system.
A simple hardware upgrade could well become a ticket into your system.
Researchers from Arctic Wolf have reported a new campaign, dubbed GPUGate, in which threat actors use Google ads and fake GitHub commits to distribute malware to IT companies and developers in Western Europe. The attacks have been observed since at least December 2024 and are disguised as downloads for GitHub Desktop; however, the links lead to the fake domain "gitpage[.]app", which hosts an infected distribution.
The first stage of infection begins with downloading a fake MSI installer, 128 MB in size. This specific size is intentionally chosen to bypass many online sandboxes. Inside, the encrypted code is activated only if a full-fledged graphics adapter is present—this GPU-dependent decryption mechanism is a key feature of the scheme. If drivers are missing or a virtual environment is detected, execution stops. Additionally, the file contains a large amount of "junk" data to complicate analysis.
Upon execution, the malware runs a chain of scripts: a VBScript initiates PowerShell, which obtains administrator privileges, disables Microsoft Defender checks for its components, creates scheduled tasks for persistence, and unpacks an archive containing the main set of executable files. Subsequent actions are aimed at data theft and downloading additional malicious modules.
The researchers also found that the attackers' infrastructure was used to host the Atomic macOS Stealer (AMOS), indicating a cross-platform approach. Thus, the attackers' targets are not only Windows environments but also Apple devices. Of particular interest is the use of the GitHub commit structure to substitute links: even if an address visually points to a legitimate resource, it actually redirects to a fake page, bypassing checks by both users and security systems.
In parallel, experts from Acronis published data on the development of another campaign related to the compromise of ConnectWise ScreenConnect. During these attacks, attackers upload three malware strains to infected hosts at once: AsyncRAT, PureHVNC RAT, and their own PowerShell trojan. The latter is capable of launching programs, downloading and executing files, and ensuring access persistence. For distribution, a ClickOnce installer for ScreenConnect is used, which contains no configuration and dynamically loads components, complicating static analysis and detection.
