Once activated, the malware launches PowerShell with parameters designed to bypass Windows execution policies while hiding its windows from user view. Additionally, persistence is achieved through a scheduled task running with the highest administrative privileges, allowing it to survive reboots and operate across user sessions.
The campaign also targets macOS devices, distributing AMOS Stealer (also known as Atomic Stealer) via a tailored installer that matches either x64 or ARM processors. This info-stealer, sold as malware-as-a-service on underground forums, can exfiltrate a wide range of sensitive data, including keychain passwords, VPN profiles, browser credentials, instant messaging data, documents, and cryptocurrency wallets.
Researchers noted that the inclusion of cross-platform attacks demonstrates the operator’s aim for comprehensive, persistent access across diverse enterprise environments. “The malvertising and geofencing used are customized to specifically target EU countries,” they added. “The industries we observed directly targeted included workers in the Information Technologies sector.” For protection, Arctic Wolf recommends combining runtime inspection with sandboxing as well as boosting user awareness, as GPUGate’s advanced evasion and convincing mimicry make static defenses insufficient.
