## Malvertising Campaign Uses google ads to Distribute GPU-Gated Malware
cybersecurity researchers have detailed a new complex malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.
While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.
“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” Arctic Wolf said in a report published last week.
Exclusively targeted IT and software growth companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain (“gitpage[.]app”).
The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU.The technique has been codenamed GPUGate.
“Systems without proper GPU drivers are likely to be virtual machines (VMs),sandboxes,or older analysis environments that security researchers commonly use,” the cybersecurity company said. “the
Trojanized ScreenConnect Campaign Evolves, Deploying Multiple RATs to US Organizations
A recent report from Acronis details the ongoing evolution of a malicious campaign leveraging the remote access software ConnectWise ScreenConnect to deliver multiple Remote Access Trojans (RATs) to organizations in the united States. The attacks, which began in march 2025, are characterized by sophisticated social engineering tactics and increasingly evasive techniques.
the campaign initially deployed AsyncRAT and PureHVNC RATs. However, attackers have now added a custom PowerShell-based RAT to their arsenal, further expanding their capabilities on compromised systems. This bespoke RAT allows attackers to execute programs, download and run files, and establish persistence on infected hosts. The PowerShell RAT is delivered via a JavaScript file downloaded from a compromised ScreenConnect server.
A key change in the attackers’ tactics involves the use of a ClickOnce runner installer for ScreenConnect. According to Acronis, this installer “lacks embedded configuration and instead fetches components at runtime.” This dynamic approach makes traditional static detection methods less effective, complicating efforts to prevent infection.
“This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options,” Acronis stated in a security advisory.
understanding the Threat:
RAT (Remote Access Trojan): A type of malware that grants unauthorized remote access to a computer system. Attackers can use RATs to steal data, monitor activity, and control infected devices.
ScreenConnect: A legitimate remote support software developed by ConnectWise. Attackers are exploiting vulnerabilities and compromising installations of this software to distribute malware.
PowerShell: A powerful task automation and configuration management framework included with Windows. Attackers are leveraging PowerShell to create custom malware and execute malicious commands.
ClickOnce: A Microsoft technology for deploying and updating applications over a network. The attackers’ use of a ClickOnce runner adds a layer of complexity to detection.
This evolving threat highlights the importance of robust security measures, including multi-factor authentication, regular software updates, and employee training on recognizing and reporting phishing attempts. Organizations using screenconnect should ensure they are utilizing the latest version of the software and implementing strong security protocols to mitigate the risk of compromise.