Threat actors have been using GitHub’s repository structure in tandem with paid placements on Google Ads to drop a unique malware that includes expansive detection evasion features in a campaign targeting IT workers in Western Europe.

The attackers, who appear to be fluent in Russian, likely launched the campaign – dubbed “GPUGate” – to gain initial access into organizations’ networks and steal credentials and other information and to deploy ransomware, according to threat researchers with Arctic Wolf.

They targeted the IT workers by misleading them into downloading the malware when trying to install GitHub Desktop.

“By exploiting GitHub’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses,” they wrote in a report this week.

The use of GitHub’s repository structure and the Google Ads placements are designed to give the campaign an air of legitimacy. The link in the Google ads pointing to GitHub included a commit-specific link that made it look like the download came from an official source.

“Paid search and display ads can be weaponized by bad actors to distribute malicious payloads at scale, misleading users who rely on search engines for discovery,” they wrote. “The first step of this attack chain is malvertising (malicious advertising). In this case, the attackers created a Google Ad that appears at the very top of real Google search results – in the coveted ‘sponsored’ position that users often trust implicitly.”

Trust in Search Results

When searching for “GitHub Desktop,” users expect the first result – particularly when it’s “sponsored” and shows the GitHub brand – to be legitimate. The bad actors are using GitHub’s infrastructure rather than hosting a fake GitHub site. GitHub lets anyone view a commit – or change – in the repository’s history. The attackers embedded the commit hash into the page’s URL, which allowed them to display a page that looks identical to the original but contains the bad actors’ changes.

In the case of GPUGate, those changes included altered download links in the README file that led victims to a malicious download page, according to the researchers, who first detected the campaign in August. The campaign is still active, they added.

A Bulky, Bloated Malware

The malware itself is a big 128MB Microsoft Software Installer (MSI) that the researchers said can get around most sandboxes. It also includes a GPU-gated decryption routine that keeps the malware encrypted on systems that don’t have a real GPU. The MSI file apes the real GitHub Desktop install but also includes 100 dummy executables, which inflates its size to the point that it bypasses sandbox limits.

The GPU-gated routine is an OpenCL kernel that uses the AES key on machines that have a GPU.

“The GPU-based decryption mechanism suggests the attackers are targeting systems with specific hardware configurations, potentially focusing on users involved in development, gaming, or cryptocurrency mining activities,” the researchers wrote.

A New Approach

The creators of the malware seem to understand malware analysis, they added.

“Traditionally, financially motivated malware coders (such as ransomware developers) have tried to make their code as compatible as possible with all available systems/OSes to maximize infection rates and their subsequent payouts,” they wrote. “This malware takes the opposite approach – it deliberately excludes systems that don’t meet very specific hardware requirements.”

The reason is that systems that don’t have GPU drivers are more likely to be virtual machines, sandboxes, or older analysis environments that security teams tend to use. In this case, the executable “uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this. If the device name is less than 10 characters, the program terminates. If GPU functions are not available, the program also terminates,” the researchers wrote.

Specific Targeting of EU IT Workers

The targeting of the European IT workers is deliberate, including the use of malvertising customized for specific EU countries, developer-specific keywords, and Google Ads placed with the topic labeled as “computers and consumer electronics.”

“These individuals often serve as gatekeepers to highly sensitive codebases, deployment pipelines, and infrastructure credentials,” Arctic Wolf wrote.

The design of the attack illustrates an evolution in tactics from those used by traditional threat actors and could lead to similar ones in the future.

“The GPU-gated evasions and decryption mechanism fundamentally challenge traditional malware analysis methodologies, especially used by traditional sandboxes,” the researchers wrote. “By requiring specific hardware configurations for payload decryption, GPUGate renders standard sandbox environments ineffective and forces analysts to deploy specialized infrastructure for investigation. This shift may inspire broader adoption of hardware-dependent evasion techniques across the threat landscape.”