Cybersecurity researchers detail new sophisticated malware campaigns that leverage paid advertising in search engines such as Google to provide malware to unsuspecting users looking for popular tools such as GITHUB desktops.
Malvertising campaigns have become common in recent years, but the latest activities have given them a bit of a twist on their own. Embedding a github commit in a page URL that contains a modified link pointing to the infrastructure controlled by the attacker.
“Even if a link appears to refer to a reputable platform like GitHub, you can still manipulate the underlying URL to resolve it to a forged site,” Arctic Wolf said in a report published last week.
It has been targeted only to software developers in Western Europe since at least December 2024. Links within RogueGithub commits are designed to inject users into malicious downloads hosted in domains like the appearance (“gitpage[.]App”.
The first stage malware delivered using addicted search results is a bloated 128 MB Microsoft Software Installer (MSI), whose size avoids most existing online security sandboxes, and the Gate Decoration routine of the Graphic Processing Unit (GPU) encrypts piloads on the system without the actual GPU. This technique is called the codename gpugate.
“A system without the right GPU driver is likely to be a virtual machine (VM), sandbox, or an older analytical environment commonly used by security researchers,” the cybersecurity company said. “Executable file” […] When you use GPU functions to generate an encryption key to decrypt the payload, it checks the GPU device name to do this. ”
In addition to incorporating some garbage files as fillers and incorporating complex analysis, it also terminates execution if the device name is less than 10 characters or if the GPU function is unavailable.
The attack then involves running a visual basic script that launches a PowerShell script. This runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and runs the executable file extracted from the last downloaded ZIP archive.
The ultimate goal is to promote information theft, provide secondary payloads and avoid detection at the same time. Given the presence of Russian comments in PowerShell scripts, the threat actors behind the campaign are rated as having native Russian proficiency.
Further analysis of the domain of threat actors reveals that it serves as the staging foundation for Atomic Makos Steelers (AMOS), suggesting a cross-platform approach.
“By leveraging Github’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legal software repositories and redirect users to malicious payloads.
Disclosure occurs as Acronis has detailed the ongoing evolution of the troilerized Connectwise Screenconnect campaign, which uses Asyncrat, PureHVNC rats, and custom PowerShell-based remote access Trojans (rats) using remote access software to drop infected hosts of social engineering attacks targeted by US organizations since March 2025.
A bespoke PowerShell rat, run by JavaScript files downloaded from the Cracked ScreenConnect server, provides basic functionality such as running programs, file download and execution, and a simple persistence mechanism.
“Attackers now use the clickonce runner installer for screenconnect, which does not have a built-in configuration and instead retrieves the components at runtime,” the security vendor said. “This evolution has led to the lack of traditional static detection methods being less effective, complicating prevention and few options for defenders to trust.”
Source link
