Microsoft has recently revealed details about a large-scale malvertising attack that has reportedly compromised over a million devices across the globe. This campaign is believed to be an opportunistic cyberattack aimed at stealing sensitive data from its victims.
The company first identified the attack in early December 2024 and is currently monitoring it under the name Storm-0408. This label refers to a group of cybercriminals known for distributing malware designed to steal information or provide remote access via methods such as phishing, search engine optimization (SEO), or malvertising.
According to the Microsoft Threat Intelligence team, the attack began with illegal streaming websites that were embedded with malvertising redirectors. These redirectors led users to an intermediary website, which then redirected them to GitHub and two other platforms.
“The attack impacted a wide variety of organizations and industries, affecting both consumer and enterprise devices, underscoring the indiscriminate nature of the attack,” the team added.
One of the key features of the attack is the use of GitHub as a delivery platform for the initial malware payloads. In a few other cases, payloads were found hosted on platforms like Discord and Dropbox. Microsoft has removed the GitHub repositories used for these attacks but did not disclose how many repositories were taken down.
GitHub, a service owned by Microsoft for code hosting, was used as a staging ground for deploying dropper malware, which then installed additional programs like Lumma Stealer and Doenerium. These programs are capable of collecting critical system information.
The attack also involved a complex redirection chain consisting of four to five layers. The first redirection occurred through an iframe element embedded in illegal streaming websites hosting pirated content.
The infection process is multi-stage, involving system discovery, information gathering, and the delivery of follow-up payloads like NetSupport RAT and AutoIT scripts that allow for further data theft. The remote access trojan (RAT) also facilitates the delivery of stealer malware.
Here’s an outline of the attack’s stages:
First-stage: The attackers establish a foothold on the target device.
Second-stage: The attackers carry out system reconnaissance, collect and exfiltrate data, and deliver additional payloads.
Third-stage: Command execution is initiated, along with payload delivery, defensive evasion, persistence mechanisms, command-and-control communications, and further data exfiltration.
Fourth-stage: A PowerShell script is used to configure exclusions for Microsoft Defender and to download data from a remote server.
Another notable aspect of the attack is the use of PowerShell scripts to download the NetSupport RAT, as well as identify installed applications and security software. This included scanning for the presence of cryptocurrency wallets, which suggests that financial data may have been a target.
Along with information-stealing malware, PowerShell, JavaScript, VBScript, and AutoIT scripts were executed on the infected system, according to Microsoft.”The attackers also made use of living-off-the-land binaries and scripts (LOLBAS), such as PowerShell.exe, MSBuild.exe, and RegAsm.exe, for command-and-control (C2) communication and data exfiltration of user data and browser credentials.”
Meanwhile, Kaspersky has reported that fake websites pretending to be DeepSeek and Grok AI chatbots are being used to trick users into downloading a previously undiscovered Python information stealer.
These DeepSeek-themed decoy sites, which have been promoted by verified accounts on X (such as @ColeAddisonTech, @gaurdevang2, and @saduq5), are used to run a PowerShell script that enables attackers to gain remote access to infected devices via SSH.
“Cybercriminals employ various techniques to lure victims to malicious websites,” Kaspersky stated. “Often, links to these sites are shared via messaging platforms and social networks. Additionally, attackers might use typosquatting or purchase ad traffic through multiple affiliate programs to direct victims to malicious sites.”
This ongoing cyber threat highlights the increasing sophistication of malvertising campaigns and the need for users to exercise caution when browsing the web or interacting with unfamiliar online resources.
