Microsoft has uncovered a large-scale malvertising campaign that has infected over one million devices worldwide, exposing users to remote access trojans (RATs) and information-stealing malware. The attack, attributed to the Storm-0408 threat actor group, is being described as an opportunistic cyber assault aimed at stealing sensitive user data.
Detected in early December 2024, the campaign leverages phishing, SEO poisoning, and malicious advertisements to distribute malware.
How the Attack Works: Malvertising via Illegal Streaming Sites
According to Microsoft Threat Intelligence, the attack starts on illegal streaming websites that host malvertising redirectors. These redirect users to intermediary websites, which then lead to GitHub, Discord, and Dropbox—where the initial malware payloads are hosted.
Microsoft confirmed that GitHub repositories used in the attack have since been taken down, but the exact number of affected repositories remains unknown.
Why GitHub? A New Tactic for Malware Delivery
One of the most concerning aspects of this campaign is its use of GitHub to stage malware payloads. The attack chain involves multiple redirection layers—often four to five steps—before reaching the final payload.
Once installed, the malware executes a multi-stage attack, involving:
✅ First Stage: Establishes persistence on the infected device.
✅ Second Stage: Conducts system reconnaissance and gathers sensitive data.
✅ Third Stage: Deploys additional malware, such as NetSupport RAT and AutoIT scripts, for further exploitation.
✅ Fourth Stage: Uses PowerShell scripts to bypass Microsoft Defender, download more malware, and exfiltrate stolen data.
Malware Used: Lumma Stealer, Doenerium & Advanced Tactics
The main payloads deployed in this campaign include:
- Lumma Stealer & Doenerium – Two powerful info-stealing malware capable of exfiltrating system data and browser credentials.
- NetSupport RAT – A remote access trojan (RAT) that grants attackers full control over infected machines.
- Living-off-the-Land Binaries (LOLBAS) – Attackers abuse legitimate Windows tools like PowerShell.exe, MSBuild.exe, and RegAsm.exe for stealthy execution and persistence.
Additionally, PowerShell scripts are used to scan for cryptocurrency wallets, indicating financial data theft as a primary objective.
A Growing Trend: AI-Themed Cyber Scams
Microsoft’s disclosure follows Kaspersky’s warning about malicious AI chatbot scams, where fake websites pretending to be DeepSeek and Grok AI install a previously unknown Python-based information stealer.
Fraudsters are using verified X (Twitter) accounts (such as @ColeAddisonTech, @gaurdevang2, and @saduq5) to promote these fake AI tools. Clicking these ads leads users to download malware that executes PowerShell scripts and grants attackers remote access via SSH.
How to Stay Safe from Malvertising Attacks
🔹 Avoid illegal streaming sites – These platforms are frequently used to spread malware.
🔹 Do not download software from unverified sources – Stick to official sites and app stores.
🔹 Use an updated security solution – Ensure Microsoft Defender or third-party antivirus software is active and updated.
🔹 Be cautious of AI-related scams – Always verify AI tools before downloading.
🔹 Enable browser security features – Block pop-ups and malicious scripts that enable redirection attacks.
Final Thoughts
With malvertising attacks on the rise, users must remain vigilant against cybercriminals exploiting GitHub, Discord, and AI-themed scams. Microsoft and security researchers continue to monitor these emerging threats, but proactive cybersecurity measures are crucial for protection.
Stay Updated on Cybersecurity Threats
Follow easy4hub for the latest updates on cybersecurity, malware, and digital threats.