{ "type": "URL", "indicator": "https://kololjrdtgted.click/zip.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://kololjrdtgted.click/zip.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4127592150, "indicator": "https://kololjrdtgted.click/zip.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68bea34dbeedfdb8c3139638", "name": "GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe", "description": "A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB MSI file, contains over 100 dummy executables and employs OpenCL for hardware-specific decryption, ensuring execution only on systems with real GPUs. The campaign aims to gain initial access for credential theft and potential ransomware deployment. It demonstrates native Russian language proficiency and deep anti-analysis knowledge. The attackers' selective approach and GPU-based evasion technique present significant challenges for traditional malware analysis methods.", "modified": "2025-10-08T09:02:05.410000", "created": "2025-09-08T09:35:09.294000", "tags": [ "gpugate", "malvertising", "gpu-gated decryption", "amos stealer", "opencl", "anti-analysis", "western europe" ], "references": [ "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GPUGate", "display_name": "GPUGate", "target": null }, { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 2, "YARA": 2, "domain": 16 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386796, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bf8467d68b4edd7015991b", "name": "IOC - GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe", "description": "Victimology\nConclusions\nAPPENDIX\nReferential Indicators of Compromise (IOCs)\nAbout Arctic Wolf Labs\nAuthors\nExecutive Summary\nOn 19 August 2025, the Arctic Wolf\u00ae Cybersecurity Operations Center (cSOC) uncovered and remediated a sophisticated delivery chain: a threat actor leveraged GitHub\u2019s repository structure together with paid placements on Google Ads to funnel users toward a malicious download hosted on a lookalike domain. By embedding a commit\u2011specific link in the advertisement, the attackers made the download appear to originate from an official source, effectively sidestepping typical user scrutiny\n\nThe delivered malware is unique: the bloated 128 MB Microsoft Software Installer (MSI) evades most existing security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. We have called this new attack technique \u201cGPUGate\u201d.", "modified": "2025-10-09T01:03:27.215000", "created": "2025-09-09T01:35:35.704000", "tags": [ "domain tools", "access", "payload server", "verified", "identified", "virustotal", "github desktop", "utc file", "arm version", "amos stealer", "amos" ], "references": [ "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 16 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc9b101e6e43c78681d773", "name": "GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe.", "description": "The GPUGate malware represents a sophisticated attack vector that exploits GitHub repository structures and Google Ads to disseminate malicious payloads. Discovered on August 19, 2025, this threat primarily targets users in Western Europe, particularly those within the Information Technology sector. By leveraging a series of deceptive practices, including creating lookalike domains and embedding commit-specific links in advertisements, threat actors have effectively masked the origin of the malicious downloads, leading users to unwittingly install the malware.\n\nThe core of the GPUGate technique is its specialized delivery mechanism, which includes a unique GPU-gated decryption routine. This routine ensures that the malicious payload remains encrypted on devices lacking a proper GPU-those not equipped with a GPU that meets specific criteria (e.g., a device name of at least ten characters long).", "modified": "2025-10-06T20:02:54.131000", "created": "2025-09-06T20:35:28.888000", "tags": [ "strong", "arctic wolf", "domain tools", "access", "payload server", "verified", "identified", "github desktop", "github", "virustotal", "suomi", "swedish", "august", "powershell", "execution", "demo", "attack", "wolf", "malware", "leverage", "arctic", "desktop", "click", "persistence", "impact", "ransomware", "macos", "april", "target", "union", "defense", "phase", "first", "malicious", "bypass", "restart", "back", "gpugate", "amos", "defense evasion", "command", "user", "phishing" ], "references": [ "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GPUGate", "display_name": "GPUGate", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Gaming", "Cryptocurrency", "Information Technology", "Information Technologies" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 2, "YARA": 2, "domain": 16 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "week1.pdf", "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Amos stealer", "Gpugate" ], "industries": [ "Technology" ], "unique_indicators": 57 }, "other": { "adversary": [ "Multiple" ], "malware_families": [ "Gpugate", "Amos" ], "industries": [ "Information technologies", "Gaming", "Information technology", "Cryptocurrency" ], "unique_indicators": 927 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/kololjrdtgted.click", "whois": "http://whois.domaintools.com/kololjrdtgted.click", "domain": "kololjrdtgted.click", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68bea34dbeedfdb8c3139638", "name": "GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe", "description": "A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB MSI file, contains over 100 dummy executables and employs OpenCL for hardware-specific decryption, ensuring execution only on systems with real GPUs. The campaign aims to gain initial access for credential theft and potential ransomware deployment. It demonstrates native Russian language proficiency and deep anti-analysis knowledge. The attackers' selective approach and GPU-based evasion technique present significant challenges for traditional malware analysis methods.", "modified": "2025-10-08T09:02:05.410000", "created": "2025-09-08T09:35:09.294000", "tags": [ "gpugate", "malvertising", "gpu-gated decryption", "amos stealer", "opencl", "anti-analysis", "western europe" ], "references": [ "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GPUGate", "display_name": "GPUGate", "target": null }, { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 2, "YARA": 2, "domain": 16 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386796, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bf8467d68b4edd7015991b", "name": "IOC - GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe", "description": "Victimology\nConclusions\nAPPENDIX\nReferential Indicators of Compromise (IOCs)\nAbout Arctic Wolf Labs\nAuthors\nExecutive Summary\nOn 19 August 2025, the Arctic Wolf\u00ae Cybersecurity Operations Center (cSOC) uncovered and remediated a sophisticated delivery chain: a threat actor leveraged GitHub\u2019s repository structure together with paid placements on Google Ads to funnel users toward a malicious download hosted on a lookalike domain. By embedding a commit\u2011specific link in the advertisement, the attackers made the download appear to originate from an official source, effectively sidestepping typical user scrutiny\n\nThe delivered malware is unique: the bloated 128 MB Microsoft Software Installer (MSI) evades most existing security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. We have called this new attack technique \u201cGPUGate\u201d.", "modified": "2025-10-09T01:03:27.215000", "created": "2025-09-09T01:35:35.704000", "tags": [ "domain tools", "access", "payload server", "verified", "identified", "virustotal", "github desktop", "utc file", "arm version", "amos stealer", "amos" ], "references": [ "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 16 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc9b101e6e43c78681d773", "name": "GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe.", "description": "The GPUGate malware represents a sophisticated attack vector that exploits GitHub repository structures and Google Ads to disseminate malicious payloads. Discovered on August 19, 2025, this threat primarily targets users in Western Europe, particularly those within the Information Technology sector. By leveraging a series of deceptive practices, including creating lookalike domains and embedding commit-specific links in advertisements, threat actors have effectively masked the origin of the malicious downloads, leading users to unwittingly install the malware.\n\nThe core of the GPUGate technique is its specialized delivery mechanism, which includes a unique GPU-gated decryption routine. This routine ensures that the malicious payload remains encrypted on devices lacking a proper GPU-those not equipped with a GPU that meets specific criteria (e.g., a device name of at least ten characters long).", "modified": "2025-10-06T20:02:54.131000", "created": "2025-09-06T20:35:28.888000", "tags": [ "strong", "arctic wolf", "domain tools", "access", "payload server", "verified", "identified", "github desktop", "github", "virustotal", "suomi", "swedish", "august", "powershell", "execution", "demo", "attack", "wolf", "malware", "leverage", "arctic", "desktop", "click", "persistence", "impact", "ransomware", "macos", "april", "target", "union", "defense", "phase", "first", "malicious", "bypass", "restart", "back", "gpugate", "amos", "defense evasion", "command", "user", "phishing" ], "references": [ "https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GPUGate", "display_name": "GPUGate", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Gaming", "Cryptocurrency", "Information Technology", "Information Technologies" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 2, "YARA": 2, "domain": 16 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://kololjrdtgted.click/zip.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://kololjrdtgted.click/zip.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780372470.9310982 }