Menace actors have efficiently exploited a design flaw in GitHub’s fork structure to distribute malware disguised because the reputable GitHub Desktop installer.
The assault chain begins with a deceptively easy however efficient approach. Attackers create throwaway GitHub accounts and fork the official GitHub Desktop repository.
They then modify the obtain hyperlink within the README file to level to their malicious installer and commit the change.
Crucially, the commit hash turns into viewable beneath the official repository’s namespace showing as github.com/desktop/desktop/tree/
The assault, which analysis agency GMO Cybersecurity has been actively tracked since September 2025, leverages a method known as “repo squatting” to make malicious commits seem beneath official repository namespaces, deceiving customers into downloading trojaned software program.
This conduct, whereas intentional and documented in GitHub’s safety documentation, creates a major vulnerability.
Even when the attacker deletes their fork or account, the commit hash persists throughout the repository community, making cleanup extraordinarily tough.
GitHub design permits attackers to squat in official repository namespaces and insert malicious content material.
To amplify the marketing campaign’s attain, risk actors leveraged sponsored commercials selling “GitHub Desktop” on search engines like google and yahoo.
The advertisements linked on to the malicious commits utilizing README anchors to bypass GitHub’s safety warnings, concentrating on builders actively trying to find the reputable software.
Multi-Stage Loader Delivering HijackLoader
The malicious installer, GitHubDesktopSetup-x64.exe (SHA256: e252bb114f5c…), is a 127.68 MB single-file .NET utility that capabilities as a complicated multi-stage loader.
Evaluation reveals related samples courting again to Could 2025, masquerading beneath different fashionable utility names, together with Chrome, Notion, 1Password, and Bitwarden.
The loader employs a number of evasion strategies. Most notably, it abuses OpenCL (Open Computing Language), a GPU-based API, to hinder dynamic evaluation in sandboxes and digital machines missing GPU drivers.
The malware implements deliberate code misdirection that complicates static restoration of decryption keys, forcing safety researchers onto bodily machines with GPUs to finish evaluation.
Apparently, GMO Cybersecurity found that the OpenCL implementation comprises intentional bugs arguments are handed by worth moderately than reference, inflicting kernel execution to fail.
The 8-byte bundle header-offset is ready to 0x7FAB159, which confirms it is a single-file utility. This bundle header-offset and signature will be mixed with different identifiers to hunt for associated samples with YARA.
This intelligent approach generates an all-zero decryption key that derails each dynamic and static evaluation approaches, representing an progressive protection mechanism towards reverse engineering.
Payload Supply and Persistence
As soon as executed, the malware downloads encrypted archives containing reputable signed binaries (Management-Binary32.exe, Qt5Network.dll, Qt5Core.dll) and malicious payloads.
First, clGetPlatformIDs and clGetDeviceIDs don’t return gadget strings resembling GeForce RTX 4090.
The an infection leverages DLL sideloading and module stomping strategies, injecting shellcode into vssapi.dll to execute HijackLoader a recognized loader beforehand noticed deploying LummaC2 stealer and different commodity malware.
Persistence is established by way of a scheduled activity named “WinSvcUpd” that executes every time customers go surfing.
The PowerShell stager provides Microsoft Defender exclusions for AppData, LocalAppData, and ProgramData directories, permitting subsequent payloads to execute undetected.
The marketing campaign was most lively between September and October 2025, although GitHub confirmed consciousness of the vulnerability on September 9, 2025.
As of December 29, 2025, the approach remained reproducible. Whereas centered on European customers by way of malvertising, infections additionally occurred in Japan and different areas.
GMO Cybersecurity recommends downloading installers completely from official Releases pages and exercising excessive warning with sponsored search commercials.
The marketing campaign underscores how developer-targeting assaults leverage trusted platforms to distribute refined malware, highlighting the essential significance of provide chain safety in trendy risk landscapes.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
