2026-04-16 –, Amphitheater
In early September 2025, we observed a new malware campaign in which attackers hijacked the official GitHub Desktop repository to distribute a multi-stage loader disguised as the GitHub Desktop installer. This loader, dubbed GPUGate, ultimately delivers HijackLoader and cleverly uses a GPU-based API called OpenCL to evade sandbox and VM-based analysis, and to obscure the decryption key from analysts. In our case, this forced us onto a physical machine with a GPU, where I could debug the loader, understand its functionality, and recover the correct decryption key.
In this talk, I will provide a detailed explanation of how OpenCL works, and how it can be abused to evade sandbox analysis and hinder static decryption, using techniques observed in this campaign. You will learn how to spot and work around these techniques and gain a deeper understanding of OpenCL-based malware.
I will also discuss our research into the initial delivery technique (which I dubbed repo squatting). This is enabled by GitHub’s fork-network commit visibility, which allows attackers to “squat” under an official repository’s namespace via commit hashes. I will show how similar platforms are affected, and share the new methods the attackers are using to expand their victim count in 2026.
I am a Security Engineer at GMO Cybersecurity by Ierae, Inc. in Japan, specializing in malware analysis and research, as well as software development for our security products.
I joined GMO Ierae in February 2025. Prior to that, I founded and built a tech startup, graduated from university in Japan, and started self-studying infosec in 2023. I am particularly interested in reverse engineering, system internals, and low-level programming. I gave a lightning talk at JSAC 2026, and I occasionally share C-related projects on my GitHub.
I am a Senior Security Engineer at GMO Cybersecurity by IERAE, Inc. in Japan.
I focus on developing our SIEM and providing security training.