The Reveal Platform
Intel Name: Gpugate: malware campaign exploits github and google ads with gpu-based decryption to target western europe
Date of Scan: September 10, 2025
Impact: High
Summary: On 19 August 2025, a sophisticated malware delivery campaign was uncovered involving the abuse of GitHub repositories and Google Ads. Threat actors used paid ad placements to redirect users to a lookalike domain hosting a malicious download. By embedding commit-specific GitHub links, the download appeared legitimate, bypassing user suspicion. The malware was delivered via a 128 MB MSI file, designed to evade sandbox detection, and featured a novel GPU-gated decryption routine—only activating the payload on systems with a real Graphics Processing Unit (GPU). This unique technique, dubbed “GPUGate,” was primarily used to target users in Western Europe.
