Microsoft has disclosed details of a large-scale malvertising campaign that’s estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information.
The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors that are known to distribute remote access or information-stealing malware via phishing, search engine optimization (SEO), or malvertising.
“The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms,” the Microsoft Threat Intelligence team said.
“The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”
The most significant aspect of the campaign is the use of GitHub as a platform for delivering initial access payloads. In at least two other isolated instances, the payloads have been found hosted on Discord and Dropbox. The GitHub repositories have since been taken down. The company did not reveal how many such repositories were removed.
The Microsoft-owned code hosting service acts as a staging ground for dropper malware that’s responsible for deploying a series of additional programs like Lumma Stealer and Doenerium, which, in turn, are capable of collecting system information.
The attack also employs a sophisticated redirection chain comprising four to five layers, with the initial redirector embedded within an iframe element on illegal streaming websites serving pirated content.
The overall infection sequence is a multi-stage process that involves system discovery, information gathering, and the use of follow-on payloads such as NetSupport RAT and AutoIT scripts to facilitate more data theft. The remote access trojan also serves as a conduit for stealer malware.
- First-stage – Establish a foothold on target devices
- Second-stage – System reconnaissance, collection, and exfiltration, and payload delivery
- Third-stage – Command execution, payload delivery, defensive evasion, persistence, command-and-control communications, and data exfiltration
- Fourth-stage – PowerShell script to configure Microsoft Defender exclusions and run commands to download data from a remote server
Another characteristic of the attacks concerns the use of various PowerShell scripts to download NetSupport RAT, identify installed applications and security software, specifically scanning for the presence of cryptocurrency wallets, indicating potential financial data theft.
“Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host,” Microsoft said. “The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.”
The disclosure comes as Kaspersky revealed that bogus websites masquerading as the DeepSeek and Grok artificial intelligence (AI) chatbots are being used to trick users into installing a previously undocumented Python information stealer.
DeekSeek-themed decoy sites advertised by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5) have also been employed to execute a PowerShell script that uses SSH to grant attackers remote access to the computer.
“Cybercriminals use various schemes to lure victims to malicious resources,’ the Russian cybersecurity company said. “Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”
