Microsoft Threat Intelligence has detected a large-scale malvertising campaign that impacted approximately one million devices globally in December 2024. The attackers used illegal streaming websites to distribute information-stealing malware via a sophisticated multi-stage infection chain.
According to Microsoft's detailed analysis, the attack originated from pirated video streaming sites where malvertising redirectors were embedded within movie frames. These redirectors created a chain that ultimately led users to malicious GitHub repositories containing the initial payload. While GitHub was the primary platform, the attackers also utilized Discord and Dropbox to host some payloads.
The attack employed a modular, multi-stage approach. After the initial infection via redirectors on streaming sites, a first-stage payload was delivered, establishing a foothold on the victim's device.
This stage then deployed second-stage malware to conduct system discovery and exfiltrate information about the victim's hardware, operating system, and user details, all encoded in URL parameters sent to command-and-control servers.
Depending on the specific infection path, subsequent stages deployed various malicious tools, including Lumma stealer, Doenerium information stealer, and NetSupport RAT (Remote Access Trojan). The attackers also utilized living-off-the-land binaries (LOLBAs) such as PowerShell, MSBuild, and RegAsm to execute malicious code, evade detection, and maintain persistence.
"This activity is tracked under the umbrella name Storm-0408 that we use to track numerous threat actors associated with remote access or information-stealing malware and who use phishing, search engine optimization (SEO), or malvertising campaigns to distribute malicious payloads," Microsoft said.
Microsoft observed the attackers specifically targeting browser credential files, accessing sensitive data from Chrome, Firefox, and Edge. They also monitored user keystrokes and implemented remote debugging capabilities to spy on browsing activities.
To mitigate the threat, Microsoft recommends strengthening endpoint configurations, including enabling tamper protection, network protection, and web protection in Microsoft Defender for Endpoint.
They also advise implementing multifactor and phishing-resistant authentication methods while avoiding telephony-based MFA to prevent SIM-jacking attacks.
Microsoft alerted GitHub's security team of the campaign and GitHub quickly responded by taking down the malicious repositories.
This attack highlights the growing sophistication of malvertising campaigns and the risks associated with visiting illegal streaming websites, which continue to serve as effective distribution points for malware targeting both consumer and enterprise devices.