← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe
WHITE AlienVault 2025-09-08 Modified: 2025-10-08
39
IOCs
MEDIUM VOLUME
A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB MSI file, contains over 100 dummy executables and employs OpenCL for hardware-specific decryption, ensuring execution only on systems with real GPUs. The campaign aims to gain initial access for credential theft and potential ransomware deployment. It demonstrates native Russian language proficiency and deep anti-analysis knowledge. The attackers' selective approach and GPU-based evasion technique present significant challenges for traditional malware analysis methods.
gpugatemalvertisinggpu-gated decryptionamos stealeropenclanti-analysiswestern europe
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
GPUGate AMOS Stealer
Indicators of Compromise (39)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2025-20265 2025-09-08
CVE CVE-2025-7775 2025-09-08
FileHash-MD5 1e0b2ef7208c86e2e66a2945b0716738 2025-09-08
FileHash-MD5 56b76ecf127d6fd8a5c0c599cd732842 2025-09-08
FileHash-MD5 935026f24588d35661d53f8e34993b54 2025-09-08
FileHash-MD5 9d283e2d36a649a499cac543cd27d5a5 2025-09-08
FileHash-MD5 a34392f357ae602e3f1d0822fe77f8d1 2025-09-08
FileHash-MD5 b3e5b0ddab44f789dd51e8187edca0b7 2025-09-08
FileHash-SHA1 462dd2b564c25bffb549398c6e0b8f511a5e0218 2025-09-08
FileHash-SHA1 75cbd92b8a631b7900f27cf8cd58a20d548aff6c 2025-09-08
FileHash-SHA1 7df5ca1fa7f40df5d9f3800ada4060c8f8d4cb7b 2025-09-08
FileHash-SHA1 a48188b0d5bdc3e8728cb37619cc51f7392b086f 2025-09-08
FileHash-SHA1 e327aa368ee953910c9ca0703b132a6ffa741e51 2025-09-08
FileHash-SHA256 3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4 2025-09-08
FileHash-SHA256 ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e 2025-09-08
FileHash-SHA256 b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470 2025-09-08
FileHash-SHA256 d6a8b4fa2bb30a1a7313a9e510b2bac2ff3d4014da8b62f6133fdf91442e4de0 2025-09-08
FileHash-SHA256 e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b 2025-09-08
FileHash-SHA256 fc160cb764c8458bb97f587da4023ac790244ecf2f7b7544d611d4b245be451c 2025-09-08
URL http://kololjrdtgted.click/zip.php. 2025-09-08
URL https://kololjrdtgted.click/zip.php 2025-09-08
YARA 28a7d55fb610df2f7720dcd6b063eada89ca1030 2025-09-08
YARA 6623dd6ce02703375ee0a0c9ec123881b430b488 2025-09-08
domain 21ow.icu 2025-09-08
domain downloadingpage.my 2025-09-08
domain feelsifuyerza.com 2025-09-08
domain fileisuwaiquw.icu 2025-09-08
domain gfweoweiou.online 2025-09-08
domain git-freqtrade.com 2025-09-08
domain hoohle.xyz 2025-09-08
domain ityreerrec.xyz 2025-09-08
domain kololjrdtgted.click 2025-09-08
domain largetheory.com 2025-09-08
domain poiwerpolymersinc.online 2025-09-08
domain polisywerqwe.xyz 2025-09-08
domain polwique.blog 2025-09-08
domain sleeposeirer.online 2025-09-08
domain slepseetwork.online 2025-09-08
domain snapama.com 2025-09-08
References (1)
↗ https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/