Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.
While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.
“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” Arctic Wolf said in a report published last week.
Exclusively targeting IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain (“gitpage[.]app”). The activity was first detected on August 19, 2025.
The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate.
“Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” the cybersecurity company said. “The executable […] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this.”
Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available.
The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which, in turn, runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.
The end goal is to facilitate information theft and deliver secondary payloads, while simultaneously evading detection. It’s assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script.
Further analysis of the threat actor’s domain has revealed it to be acting as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.
“By exploiting GitHub’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses,” Arctic Wolf.
The disclosure comes as Acronis detailed the ongoing evolution of a trojanized ConnectWise ScreenConnect campaign that uses the remote access software to drop AsyncRAT, PureHVNC RAT, and a custom PowerShell-based remote access trojan (RAT) on infected hosts in social engineering attacks aimed at U.S. organizations since March 2025.
The bespoke PowerShell RAT, executed by means of a JavaScript file downloaded from the cracked ScreenConnect server, provides some basic functionalities such as running programs, downloading and executing files, and a simple persistence mechanism.
“Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and instead fetches components at runtime,” the security vendor said. “This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options.”
Update
GMO Cybersecurity by Ierae, in an analysis published on September 8, 2025, said it has also observed the GPUGate campaign targeting developers since September 2025, indicating that the activity may be broader in scope than previously thought. The Japanese cybersecurity company has described the technique as Phantom Commit Injection.
Similar findings have also been reported by Palo Alto Network Unit 42, which said that it has been tracking a malvertising campaign since early August 2025 that uses dangling commits in an official GitHub repository to entice users into downloading a fake GitHub desktop client that delivers malware in the background. The malicious code commits are made through disposable GitHub user profiles, after which they are deleted.
“The attacker abuses the forking functionality and introduces the malicious commit into the legitimate repository,” the company said. “This link leads to the malicious commit although one may be convinced to think it is part of the verified desktop repository.”
