By taking advantage of GitHub's fork system, attackers were able to take control of the official GitHub Desktop repository and distribute malware under the guise of trustworthy installers This article explores github aware threat. . This campaign, known as "GPUGate," uses a multi-stage chain to deliver HijackLoader.

Although GitHub has been aware of the threat since September 2025, it was first described in a Japanese report by GMO Cybersecurity by Ierae, Inc. After revisiting it, researchers Theo Webb discovered ways for OpenCL to avoid analysis. Important Lessons The campaign, which used malvertising for developer tools to target Japan and the EU/EEA, peaked in September and October of 2025. "Repository squatting" abuses include forking the official repository, making malicious changes, and promoting it through advertisements that link to commit hashes under the official namespace. HijackLoader is dropped by a multi-stage loader; victims on macOS are given AMOS stealer.

Applications Sandboxes without GPU drivers will crash due to the OpenCL GPU API's deceptive static analysis of decryption keys.

shares IOCs for defense; even after a fork is deleted, GitHub commits are still reachable. GitHub Desktop (github.com/desktop/desktop) is forked by Repo Squatting Delivery Attackers, who then modify README to include links to malicious installers and commit. By using anchors like #where-can-i-get-it, victims can avoid warnings and view it via github.com/desktop/desktop/tree/.

These are promoted for "GitHub Desktop" searches by Google Ads. Although commits remain in the network after deletion, GitHub Docs highlights this visibility risk. GitHubDesktopSetup-x64.exe (SHA256: e252bb114f5c2793fc6900d49d3c302fc9298f36447bbf242a00c10887c36d71), which mimics a legitimate size at 127 MB, is one of the installs that GMO saw. Breakdown of the Infection Chain Step 1: Loader for Single-File.NET The .NET payload is bundled in an overlay by the EXE (dump via dnSpy after bundle marker check).

It decrypts blobs using all-zero key (revealed after OpenCL fails intentionally). OpenCL Deception: Compiles the kernel and loads OpenCL.dll while claiming GPU decryption. However, the kernel skips when args fail (CL_INVALID_MEM_OBJECT), producing a zero key.

VMs without a GPU or OpenCL crash (e.g., clGetPlatformIDs errors). A physical GPU machine was required for real analysis. GitHub Desktop Malware that was taken over uses AES-128-CBC (zero IV/key) to decrypt the subsequent payload (SHA256: e5c01a6f3d85c469e16857d92d9f0a1b01d14b0f0dad7df94b1afa6dc1ff4490) and retrieves additional information from slepseetwork[.]online.

Stage 2: VBS/PS1 is downloaded and executed by PowerShell Stager (e.g., SHA256: 8cd7d9ccea98ad6a3dfb4767e574349c9fd5678150c629661574ddd45e40cd37). creates the logon task "WinSvcUpd," copies to %AppData%, adds Defender exclusions (%AppData%, %LocalAppData%, %ProgramData%), extracts archive.zip (such as oqiwquwqey[.]xyz/zipep[. ]php) to Temp/tmpXXXXX, and launches EXEs. Stage 3-5: DLL Sideloading and HijackLoader archive.zip contains the malicious Qt5Network.dll and Control-Binary32.exe (legit).

It uses decrypted shellcode from Prangshound.hzj (simple add-key decrypt) to stomp the vssapi.dll.text section. The last stage, HijackLoader, looks for avgsvc.exe/avastsvc.exe (hashes 0x6CEA4537/0x5C7024B2) and delays if it finds it. uses stealers like LummaC2 and decrypts from Kraekgriesfid.xvs.

IOCs Table Category IOC Notes Viewable under the official repository, malicious commits (SHA-1) 3b3e14cec9f2c7f9567bb1a50ece12d4eb337305 Installer URLs: hxxps://git-desktop[. ]app/git Malvertising landing Installers (SHA256) e252bb114f5c2793fc6900d49d3c302fc9298f36447bbf242a00c10887c36d71 GitHubDesktopSetup-x64.exe PS Stager (SHA256) 8cd7d9ccea98ad6a3dfb4767e574349c9fd5678150c629661574ddd45e40cd37 WinSvcUpd task Qt5Network HijackLoader Files.DLL: 719a726d54161a1a95cf69f3001b74fe15661b83d995b89bcca5ecc8e792e2eb DLL hijack YARA Snippet: Identifies.NET bundle + OpenCL strings (complete rule in GMO report). Download only from GitHub Releases.

Look for OpenCL errors, bundle markers, and "WinSvcUpd" tasks. Listed domains and commits should be blocked. GitHub needs to restrict the visibility of forks. This supply chain abuse highlights repo risks for devs.

Stay vigilant threat actors adapt fast.