← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe
Victimology
Conclusions
APPENDIX
Referential Indicators of Compromise (IOCs)
About Arctic Wolf Labs
Authors
Executive Summary
On 19 August 2025, the Arctic Wolf® Cybersecurity Operations Center (cSOC) uncovered and remediated a sophisticated delivery chain: a threat actor leveraged GitHub’s repository structure together with paid placements on Google Ads to funnel users toward a malicious download hosted on a lookalike domain. By embedding a commit‑specific link in the advertisement, the attackers made the download appear to originate from an official source, effectively sidestepping typical user scrutiny
The delivered malware is unique: the bloated 128 MB Microsoft Software Installer (MSI) evades most existing security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. We have called this new attack technique “GPUGate”.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
AMOS
Indicators of Compromise (29)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 1e0b2ef7208c86e2e66a2945b0716738 | MD5 of e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b | 2025-09-09 | |
| FileHash-MD5 | 4e75c9adec0151b04a58e2147723856f | MD5 of b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470 | 2025-09-09 | |
| FileHash-MD5 | 935026f24588d35661d53f8e34993b54 | MD5 of ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e | 2025-09-09 | |
| FileHash-MD5 | a34392f357ae602e3f1d0822fe77f8d1 | MD5 of 3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4 | 2025-09-09 | |
| FileHash-SHA1 | 72bd1272087f9727da6f5436e5255cc376d29598 | SHA1 of ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e | 2025-09-09 | |
| FileHash-SHA1 | 75cbd92b8a631b7900f27cf8cd58a20d548aff6c | SHA1 of 3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4 | 2025-09-09 | |
| FileHash-SHA1 | 8c8ce76de176d12fb5d259558599a45ff3638582 | SHA1 of b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470 | 2025-09-09 | |
| FileHash-SHA1 | e327aa368ee953910c9ca0703b132a6ffa741e51 | SHA1 of e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b | 2025-09-09 | |
| FileHash-SHA256 | 3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4 | — | 2025-09-09 | |
| FileHash-SHA256 | ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e | — | 2025-09-09 | |
| FileHash-SHA256 | b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470 | — | 2025-09-09 | |
| FileHash-SHA256 | e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b | — | 2025-09-09 | |
| URL | https://kololjrdtgted.click/zip.php | — | 2025-09-09 | |
| domain | 21ow.icu | — | 2025-09-09 | |
| domain | downloadingpage.my | — | 2025-09-09 | |
| domain | feelsifuyerza.com | — | 2025-09-09 | |
| domain | fileisuwaiquw.icu | — | 2025-09-09 | |
| domain | gfweoweiou.online | — | 2025-09-09 | |
| domain | git-freqtrade.com | — | 2025-09-09 | |
| domain | hoohle.xyz | — | 2025-09-09 | |
| domain | ityreerrec.xyz | — | 2025-09-09 | |
| domain | kololjrdtgted.click | — | 2025-09-09 | |
| domain | largetheory.com | — | 2025-09-09 | |
| domain | poiwerpolymersinc.online | — | 2025-09-09 | |
| domain | polisywerqwe.xyz | — | 2025-09-09 | |
| domain | polwique.blog | — | 2025-09-09 | |
| domain | sleeposeirer.online | — | 2025-09-09 | |
| domain | slepseetwork.online | — | 2025-09-09 | |
| domain | snapama.com | — | 2025-09-09 |