Microsoft has disclosed information of a large-scale malvertising plan that’s estimated to have impacted over one million products globally as part of what it said is an unscrupulous strike designed to steal sensitive information.
The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors that are known to distribute remote access or information-stealing malware via phishing, search engine optimization ( SEO ), or malvertising.
” The attack originated from improper streaming platforms embedded with malvertising redirectors, leading to an intermediary website where the person was then redirected to GitHub and two other programs”, the Microsoft Threat Intelligence group .
” The battle impacted a wide range of organizations and industries, including both customer and business products, highlighting the indiscriminate nature of the attack”.
The most significant aspect of the plan is the use of GitHub as a platform for delivering primary entry loads. In at least two different isolated cases, the cargo have been found held on Discord and Dropbox. The GitHub libraries have since been taken down. The business did not reveal how many such libraries were removed.
The Microsoft-owned code hosting company acts as a staging ground for drop malware that’s responsible for deploying a series of further programs like Lumma Stealer and Doenerium, which, in turn, are capable of collecting program information.
The attack also employs a sophisticated redirection chain comprising four to five layers, with the initial redirector embedded within an iframe element on illegal streaming websites serving pirated content.
The overall infection sequence is a multi-stage process that involves system discovery, information gathering, and the use of follow-on payloads such as NetSupport RAT and AutoIT scripts to facilitate more data theft. The remote access trojan also serves as a conduit for stealer malware.
- First-stage- Establish a foothold on target devices
- Second-stage- System reconnaissance, collection, and exfiltration, and payload delivery
- Third-stage- Command execution, payload delivery, defensive evasion, persistence, command-and-control communications, and data exfiltration
- Fourth-stage- PowerShell script to configure Microsoft Defender exclusions and run commands to download data from a remote server
Another characteristic of the attacks concerns the use of various PowerShell scripts to download NetSupport RAT, identify installed applications and security software, specifically scanning for the presence of cryptocurrency wallets, indicating potential financial data theft.
” Besides the information stealers, Power Shell, JavaScript, VBScript, and AutoIT scripts were run on the host”, Microsoft said. ” The threat actors incorporated use of living-off-the-land binaries and scripts ( LOLBAS ) like Power Shell. exe, MSBuild. exe, and RegAsm. exe for C2 and data exfiltration of user data and browser credentials”.
The disclosure comes as Kaspersky revealed that bogus websites masquerading as the DeepSeek and Grok artificial intelligence ( AI ) chatbots are being used to trick users into installing a previously undocumented Python information stealer.
DeekSeek-themed decoy sites advertised by verified accounts on X ( e. g., @ColeAddisonTech, @gaurdevang2, and @saduq5 ) have also been employed to execute a PowerShell script that uses SSH to grant attackers remote access to the computer.
“Cybercriminals use various schemes to lure victims to malicious resources,’ the Russian cybersecurity company “. Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”