Microsoft has revealed details of a large-scale malvertising campaign that is believed to have impacted over one million devices worldwide as part of an opportunistic attack aimed at stealing sensitive information.
The tech giant, which discovered the activity in early December 2024, is tracking it under the broader Storm-0408 umbrella, which refers to a group of attackers known for distributing remote access or information-stealing malware via phishing, search engine optimisation (SEO), or malvertising.
"The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team stated. "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”
The campaign relied on GitHub to deliver initial access payloads, but payloads were also detected on Discord and Dropbox. The GitHub repositories were removed, but the number of such repositories was not disclosed. The Microsoft-owned code hosting service serves as a staging ground for dropper malware, which deploys a series of ads.
The Microsoft-owned code hosting site serves as a staging ground for dropper malware, which is in charge of launching a number of further programs such as Lumma Stealer and Doenerium, which can then collect system information. The assault also uses a sophisticated redirection chain with four to five layers, with the first redirector embedded in an iframe element on unlawful streaming websites that serve pirated content.
The entire infection sequence consists of several stages, including system discovery, information collecting, and the employment of follow-on payloads like NetSupport RAT and AutoIT scripts to assist more data theft. The remote access trojan also acts as a gateway for stealer malware.
- First stage: Establish a footing on target devices.
- Second stage: system reconnaissance, collection, exfiltration, and payload delivery.
- Third stage: It involves command execution, payload delivery, defence evasion, persistence, command-and-control communications, and data exfiltration.
- Fourth stage: PowerShell script for configuring Microsoft Defender exclusions and running commands to download data from a remote server.
Another feature of the assaults is the use of numerous PowerShell scripts to download NetSupport RAT, identify installed apps and security software, and scan for the presence of cryptocurrency wallets, which indicates possible financial data theft.
"Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host," Microsoft said. "The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.”
The disclosure comes after Kaspersky reported that fake websites masquerading as DeepSeek and Grok artificial intelligence (AI) chatbots are being used to lure users into installing a previously unknown Python information stealer.
DeekSeek-themed decoy sites promoted by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5) have also been used to run a PowerShell script that leverages SSH to enable attackers remote access to the machine.
"Cybercriminals use various schemes to lure victims to malicious resources,' the Russian cybersecurity company noted. "Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”