Rootkits or Keyloggers can hide on a Graphics Card and gain access to your computer

The Graphics card on your Windows PC could be the next attack destination for malware spreaders says a recent report published by a group of developers. Developers have said that graphics card is the new opening that can be easily exploited by attackers in the near future. Most antivirus software scan just the hard drives and memory locations for malware, however they do not have any checks for a Graphic Card’s processor unit (GPU).


Cybercriminals have a valid reason for moving their attention from the conventional central processing unit (CPU), owing to the enhanced functionality of the graphics card build these days. Most GPU’s are built to perform complex and intensive operations. An example could be of password cracking and Bitcoin mining. With so much dependence built on GPU, an attacker can take advantage of knotty encryption algorithms and serpentine polymorphic algorithms to disguise and strengthen the armor of their code via Graphics card.

Presenting a basis of their study, the anonymous developers released its Demon keylogger proof-of-concept code, demonstrating how GPU-based malware could capture all keystrokes and store them in the GPU memory. Following the keystrokes means, that malware could then go on to steal passwords, personal communications and login credentials without being detected by any antivirus or keylogger detector software.

The developers released an educational rootkit named as Jellyfish, which is virtually undetectable by current antivirus programs. Jellyfish is capable of running on NVidia, AMD, and Intel hardware and snoops on CPU host memory via direct memory access (DMA). This superior feature allows hardware components to read the main system memory without going through the CPU, making such operations harder to detect by conventional anti-virus programs. Moreover, the malicious GPU memory persists even after the system is shut down!

The researchers however warned against using Jellyfish rootkit, saying that the code is still in progress. Moreover, the rootkit code is intended to be used for educational purposes only, and developers of the code are not responsible if it is exploited illegally.

Seeing the present scenario, it would be safe to assume that a time will come when GPU based attacks become a reality. A study like this has certainly opened new avenues for attackers to look at.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.


  1. andy dw

    SpyShelter was developed to stop such threats. I wonder if it would deal with it.

  2. Dan

    Another way to spy even in multiboot OS situations…the good news keeps pouring in. A few years ago, when Malwarebytes came out with a manual Anti-Rootkit Beta, when such “spies” on CPUs were a bit of a rage, that sanner included then-new ability to scan outside of OS partitions on HDD to see if a patch to the CPU existed anywhere at all on the disk as detection; wonder if something like that will evolve to find GPU bugs once “in”, or if virtualization/sandbox (or behavior blocking) could keep it out in first place?

  3. Lojix Net

    Unfortunately this type of advanced malware has been in the wild for quite some time now. Basically almost any PCI or other hardware connected directly to the mainboard which has NV RAM to store its own firmware is potentially vulnerable. This includes devices such as some optical drives, network adapters and of course graphics adapters.

    The naive people who want argue this is all paranoia need not reply… do some research.

  4. Jason Kaven

    It seems that the keylogger is inserted in ‘GTA V’ mods! So terrible! As far as I know, common keyloggers like Micro Keylogger for PC only can be installed physically on the target PC, or it is illegal.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 5 =