Cybersecurity researchers have detailed a brand new subtle malware marketing campaign that leverages paid adverts on search engines like google like Google to ship malware to unsuspecting customers searching for in style instruments like GitHub Desktop.
Whereas malvertising campaigns have develop into commonplace lately, the most recent exercise offers it a bit of twist of its personal: Embedding a GitHub commit right into a web page URL containing altered hyperlinks that time to attacker-controlled infrastructure.
“Even when a hyperlink appears to level to a good platform akin to GitHub, the underlying URL may be manipulated to resolve to a counterfeit web site,” Arctic Wolf mentioned in a report printed final week.
Completely focused IT and software program improvement corporations inside Western Europe since at the least December 2024, the hyperlinks throughout the rogue GitHub commit are designed to funnel customers to a malicious obtain hosted on a lookalike area (“gitpage[.]app”).
The primary-stage malware delivered utilizing poisoned search outcomes is a bloated 128 MB Microsoft Software program Installer (MSI) that, owing to its dimension, evades most present on-line safety sandboxes, whereas a Graphics Processing Unit (GPU)-gated decryption routine retains the payload encrypted on programs with no actual GPU. The approach has been codenamed GPUGate.
“Programs with out correct GPU drivers are prone to be digital machines (VMs), sandboxes, or older evaluation environments that safety researchers generally use,” the cybersecurity firm mentioned. “The executable […] makes use of GPU features to generate an encryption key for decrypting the payload, and it checks the GPU gadget identify because it does this.”
Apart from incorporating a number of rubbish information as a filler and complicating evaluation, it additionally terminates execution if the gadget identify is lower than 10 characters or GPU features will not be obtainable.
The assault subsequently entails the execution of a Visible Fundamental Script that launches a PowerShell script, which, in flip, runs with administrator privileges, provides Microsoft Defender exclusions, units up scheduled duties for persistence, and eventually runs executable information extracted from a downloaded ZIP archive.
The tip aim is to facilitate info theft and ship secondary payloads, whereas concurrently evading detection. It is assessed that the risk actors behind the marketing campaign have native Russian language proficiency, given the presence of Russian language feedback within the PowerShell script.
Additional evaluation of the risk actor’s area has revealed it to be appearing as a staging floor for Atomic macOS Stealer (AMOS), suggesting a cross-platform strategy.
“By exploiting GitHub’s commit construction and leveraging Google Adverts, risk actors can convincingly mimic respectable software program repositories and redirect customers to malicious payloads – bypassing each person scrutiny and endpoint defenses,” Arctic Wolf.
The disclosure comes as Acronis detailed the continuing evolution of a trojanized ConnectWise ScreenConnect marketing campaign that makes use of the distant entry software program to drop AsyncRAT, PureHVNC RAT, and a customized PowerShell-based distant entry trojan (RAT) on contaminated hosts in social engineering assaults aimed toward U.S. organizations since March 2025.
The bespoke PowerShell RAT, executed by way of a JavaScript file downloaded from the cracked ScreenConnect server, supplies some fundamental functionalities akin to operating packages, downloading and executing information, and a easy persistence mechanism.
“Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and as a substitute fetches elements at runtime,” the safety vendor mentioned. “This evolution makes conventional static detection strategies much less efficient and complicates prevention, leaving defenders with few dependable choices.”
