Massive Malvertising Campaign Delivers Info Stealers Malware via GitHub
Cybercriminals continue to evolve their tactics, leveraging legitimate platforms to distribute malicious payloads. Microsoft Threat Intelligence has uncovered a large-scale malvertising campaign that infected nearly one million devices globally through deceptive ads embedded in illegal streaming websites. These ads redirected users through a multi-stage attack chain, ultimately leading to malicious repositories hosted on GitHub, Discord, and Dropbox.
The goal? Stealing sensitive information, including system details, credentials, and financial data, using advanced info stealers like Lumma Stealer and Doenerium. The Storm-0408 threat group, known for its use of SEO poisoning, phishing, and malvertising, orchestrated this attack, leveraging multiple layers of evasion techniques.
How the Attack Works: Multi-Stage Malvertising Chain
Stage 1: Malvertising Redirects Users to GitHub
Microsoft researchers identified that the attack originated from illegal streaming websites where pirated content was hosted. These sites contained malvertising scripts hidden within iframes inside movie frames. Once a user clicked on the video player, they were redirected through a series of malicious domains before ultimately landing on a GitHub page.
🚨 Key Redirection Steps:
1️⃣ User visits a pirated streaming website
2️⃣ Malvertising script triggers within an iframe
3️⃣ Traffic is routed through multiple redirectors
4️⃣ Victim lands on a malicious GitHub repository hosting malware
Microsoft found that the full redirection chain consisted of four to five layers, making detection and blocking more challenging.
Stage 2: Initial Payload Execution & System Discovery
Once on GitHub, victims were tricked into downloading trojanized applications or fake installers. The first-stage payload, signed with a newly created digital certificate (now revoked), served as a dropper for the next stages.
🚀 First-Stage Malware Actions:
✔️ Downloads and executes second-stage payloads
✔️ Conducts system reconnaissance (OS version, memory, GPU, and more)
✔️ Sends collected data via Base64-encoded HTTP requests
Stage 3: Payload Deployment & Persistence
Depending on the second-stage payload, victims were infected with:
🔹 Lumma Stealer – Steals browser credentials and sensitive files
🔹 Doenerium – Modular stealer with remote execution capabilities
🔹 NetSupport RAT – Remote monitoring & control software for persistence
Threat actors used “living-off-the-land binaries and scripts” (LOLBAS) to evade detection:
- PowerShell.exe – Used for remote script execution
- MSBuild.exe – Side-loading malicious payloads
- RegAsm.exe – Modifying registry for persistence
💡 Key Persistence Methods:
- Registry Run Keys – Modifies Windows startup settings
- Windows Startup Folder – Drops shortcut files to re-execute malware
- Scheduled Tasks – Ensures execution at system boot
Stage 4: Exfiltration & Command-and-Control (C2)
Once persistence was established, the malware exfiltrated stolen credentials, browser data, and system details to attacker-controlled servers. Microsoft identified multiple C2 domains used in this campaign, including:
🔹 hxxp://keikochio[.]com/staz/gribs.zip
🔹 hxxps://shortlearn[.]click
🔹 hxxps://wrathful-jammy[.]cyou
Some variants enabled browser remote debugging, allowing attackers to hijack Chrome and Edge sessions, extract saved passwords, and monitor browsing activity.
Defensive Recommendations: How to Stay Protected
💡 Microsoft Defender for Endpoint users should enable the following:
✅ Tamper Protection – Prevent attackers from disabling security tools
✅ Web Protection – Block malicious websites and phishing pages
✅ Network Protection – Prevent malware from reaching C2 servers
✅ Attack Surface Reduction Rules:
- Block execution of obfuscated scripts
- Block JavaScript/VBScript from launching downloaded executables
- Block credential theft from Windows Security Authority Subsystem
🔹 Use Multi-Factor Authentication (MFA)
🔹 Block execution of unsigned PowerShell scripts
🔹 Enable Defender SmartScreen for browser security
For enterprise security teams, Microsoft Defender XDR provides hunting queries to detect indicators of compromise (IOCs) associated with this attack.
Conclusion
This malvertising campaign highlights the growing trend of threat actors abusing trusted platforms like GitHub, Discord, and Dropbox to distribute malware. The modular nature of Storm-0408’s attack chain allows them to adapt quickly, evade detection, and maximize damage.
🚀 Key Takeaways:
✔️ Avoid illegal streaming websites – Many contain hidden malware
✔️ Be cautious of software from GitHub – Always verify sources
✔️ Use strong endpoint security solutions – Microsoft Defender XDR provides real-time protection
As cybercriminals continue weaponizing legitimate services, organizations must remain vigilant and implement proactive security measures to protect their data, credentials, and critical systems.
🔎 Stay informed with Microsoft Threat Intelligence:
📢 Read the full report
🎙️ Listen to the Microsoft Threat Intelligence Podcast here
✔ Secure Your Internet with a VPN – NordVPN (Up to 72% Off)
✔ Protect Your Passwords with a Password Manager – NordPass (Secure & Encrypted)
📌 More Cybersecurity and Online Privacy News: StealthAnon.com
