Cybersecurity researchers have uncovered a highly sophisticated malware campaign leveraging paid search ads on platforms like Google to deliver malicious payloads to unsuspecting users seeking popular tools such as GitHub Desktop. The campaign, active since at least December 2024, is specifically targeting IT and software development companies in Western Europe.
“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” said Arctic Wolf in a report last week. The threat actors embed a GitHub commit into page URLs, which redirect users to attacker-controlled infrastructure, including a malicious download hosted on a lookalike domain called gitpage[.]app.
The first-stage malware is a 128 MB Microsoft Software Installer (MSI) that bypasses most security sandboxes due to its size. It employs a GPU-gated decryption routine, codenamed GPUGate, which keeps the payload encrypted on systems without a real GPU. “Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” Arctic Wolf explained. “The executable […] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this.” The malware also incorporates filler files to complicate analysis and terminates execution if GPU functions are unavailable or the device name is too short.
The attack sequence continues with a Visual Basic Script that launches a PowerShell script running with administrator privileges. This script adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and executes additional files extracted from a downloaded ZIP archive. The ultimate goal is information theft and delivery of secondary payloads, with evidence suggesting the attackers are Russian-speaking, based on Russian-language comments in the PowerShell script. Further investigation indicated a cross-platform approach, using the same infrastructure to stage the Atomic macOS Stealer (AMOS).
“By exploiting GitHub’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses,” Arctic Wolf noted.
The disclosure coincides with Acronis reporting the evolution of a trojanized ConnectWise ScreenConnect campaign targeting U.S. organizations since March 2025. This attack drops AsyncRAT, PureHVNC RAT, and a custom PowerShell-based RAT, executed via JavaScript downloaded from a cracked ScreenConnect server. “Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and instead fetches components at runtime,” the vendor said. “This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options.”
