GPUGate: Malware Campaign Exploits GitHub and Google Ads with GPU-Based Decryption to Target Western Europe

    Wednesday, September 10, 2025 In: Threat Research Print

    Date: 09/10/2025

    Severity: High

    Summary

    On 19 August 2025, a sophisticated malware delivery campaign was uncovered involving the abuse of GitHub repositories and Google Ads. Threat actors used paid ad placements to redirect users to a lookalike domain hosting a malicious download. By embedding commit-specific GitHub links, the download appeared legitimate, bypassing user suspicion. The malware was delivered via a 128 MB MSI file, designed to evade sandbox detection, and featured a novel GPU-gated decryption routine—only activating the payload on systems with a real Graphics Processing Unit (GPU). This unique technique, dubbed “GPUGate,” was primarily used to target users in Western Europe.

    Indicators of Compromise (IOC) List

    URL/Domain

    gitpage.app

    fileisuwaiquw.icu

    poiwerpolymersinc.online

    git-freqtrade.com

    sleeposeirer.online

    chrome.browsers.it.com

    downloadingpage.my

    feelsifuyerza.com

    gfweoweiou.online

    polisywerqwe.xyz

    largetheory.com

    snapama.com

    hoohle.xyz

    ityreerrec.xyz

    21ow.icu

    slepseetwork.online

    polwique.blog

    git-desktop.app

    https://gitpage.app/git/mac

    https://kololjrdtgted.click/zip.php

    IP Address

    107.189.17.89

    107.189.16.41

    107.189.25.128

    107.189.20.254

    107.189.24.117

    107.189.19.18

    104.194.134.4

    107.189.15.205

    107.189.18.154

    107.189.26.46

    107.189.27.207

    172.86.81.100

    104.194.132.28

    107.189.18.24

    45.59.125.245

    45.59.124.94

    45.59.125.184

    45.59.125.141

    Hash

    ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e

    e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b

    3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4

    b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection    

    Detection Query 1 : 

    domainname like "feelsifuyerza.com" or siteurl like "feelsifuyerza.com" or url like "feelsifuyerza.com" or domainname like "https://kololjrdtgted.click/zip.php" or siteurl like "https://kololjrdtgted.click/zip.php" or url like "https://kololjrdtgted.click/zip.php" or domainname like "21ow.icu" or siteurl like "21ow.icu" or url like "21ow.icu" or domainname like "poiwerpolymersinc.online" or siteurl like "poiwerpolymersinc.online" or url like "poiwerpolymersinc.online" or domainname like "polisywerqwe.xyz" or siteurl like "polisywerqwe.xyz" or url like "polisywerqwe.xyz" or domainname like "sleeposeirer.online" or siteurl like "sleeposeirer.online" or url like "sleeposeirer.online" or domainname like "gfweoweiou.online" or siteurl like "gfweoweiou.online" or url like "gfweoweiou.online" or domainname like "git-freqtrade.com" or siteurl like "git-freqtrade.com" or url like "git-freqtrade.com" or domainname like "ityreerrec.xyz" or siteurl like "ityreerrec.xyz" or url like "ityreerrec.xyz" or domainname like "chrome.browsers.it.com" or siteurl like "chrome.browsers.it.com" or url like "chrome.browsers.it.com" or domainname like "slepseetwork.online" or siteurl like "slepseetwork.online" or url like "slepseetwork.online" or domainname like "largetheory.com" or siteurl like "largetheory.com" or url like "largetheory.com" or domainname like "polwique.blog" or siteurl like "polwique.blog" or url like "polwique.blog" or domainname like "gitpage.app" or siteurl like "gitpage.app" or url like "gitpage.app" or domainname like "fileisuwaiquw.icu" or siteurl like "fileisuwaiquw.icu" or url like "fileisuwaiquw.icu" or domainname like "downloadingpage.my" or siteurl like "downloadingpage.my" or url like "downloadingpage.my" or domainname like "snapama.com" or siteurl like "snapama.com" or url like "snapama.com" or domainname like "hoohle.xyz" or siteurl like "hoohle.xyz" or url like "hoohle.xyz" or domainname like "git-desktop.app" or siteurl like "git-desktop.app" or url like "git-desktop.app" or domainname like "https://gitpage.app/git/mac" or siteurl like "https://gitpage.app/git/mac" or url like "https://gitpage.app/git/mac"

    Detection Query 2 :

    dstipaddress IN ("107.189.17.89","107.189.16.41","107.189.25.128","107.189.20.254","107.189.24.117","107.189.19.18","104.194.134.4","107.189.15.205","107.189.18.154","107.189.26.46","107.189.27.207","172.86.81.100","104.194.132.28","107.189.18.24","45.59.125.245","45.59.124.94","45.59.125.184","45.59.125.141") or srcipaddress IN ("107.189.17.89","107.189.16.41","107.189.25.128","107.189.20.254","107.189.24.117","107.189.19.18","104.194.134.4","107.189.15.205","107.189.18.154","107.189.26.46","107.189.27.207","172.86.81.100","104.194.132.28","107.189.18.24","45.59.125.245","45.59.124.94","45.59.125.184","45.59.125.141")

    Detection Query 3 :

    sha256hash IN ("e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b","b13d2ecb8b7fe2db43b641c30a7ca0f8b66f4fadb92401582ac2f8cc3f21a470","3746217c25d96bb7efe790fa78a73c6a61d4a99a8e51ae4c613efbb5be18c7b4","ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e")

    Reference:    

    https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/


    Tags

    MalwareGPUGateEuropeGitHub

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.