Microsoft recently issued an urgent warning about a large-scale malvertising campaign that has affected more than one million devices globally.
The campaign, orchestrated by a threat actor group identified as Storm-0408, has leveraged phishing, search engine optimization (SEO), and malvertising campaigns to distribute malicious payloads and steal sensitive user data.
“The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms,” the Microsoft Threat Intelligence team wrote in a blog post on Thursday.
“The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”
How The Attack Works
Malvertising, or malicious advertising, is a cyberattack method in which hackers inject harmful code into legitimate online ads to spread malware.
Microsoft researchers discovered in early December 2024 that Storm-0408 was targeting users primarily by placing malicious advertisements into videos on illegal pirated streaming websites, where unsuspecting visitors clicked on infected ads.
Once users clicked on any of these misleading ads, they were redirected through multiple intermediary sites, leading them to malware-hosting repositories on popular platforms such as GitHub, Discord, and Dropbox.
These repositories included malicious payloads that infected users’ devices with varying types of malware upon execution.
“The streaming websites embedded malvertising redirectors within movie frames to generate pay-per-view or pay-per-click revenue from malvertising platforms. These redirectors subsequently routed traffic through one or two additional malicious redirectors, ultimately leading to another website, such as a malware or tech support scam website, which then redirected to GitHub,” Microsoft added.
Types Of Malware Deployed
The attack was comprised of advanced multi-stage malware infections. The initial payload acted as a dropper, which would silently download later stages of payloads and execute malicious code onto the victim machine. Among the most notable malware deployed were:
- Lumma Stealer – An information-stealing malware that extracts login credentials, system details, and browser data.
- Doenerium (Updated Version) – A revamped version of an infamous infostealer that further enhances attackers’ ability to collect sensitive information.
These malware strains were intended to harvest sensitive user information, such as passwords, personal information, and even bank login credentials.
After the threat actors got the information, it was communicated to the attackers’ command-and-control (C2) servers, compromising individual users and businesses.
Evasion Tactics Used By Hackers
To evade detection, Storm-0408 implemented sophisticated methods. One such tactic involved hosting malicious payloads on legitimate cloud platforms, allowing the malware to merge with regular network traffic and avoid triggering security alarms.
Additionally, the threat actors used living-off-the-land binaries and scripts (LOLBAS), leveraging living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials without raising suspicion.
Microsoft’s Response And Security Measures
In response to this massive cyber threat, Microsoft has taken several immediate actions, such as removing malicious repositories hosted on GitHub, Discord, and Dropbox; revoking 12 compromised digital certificates used by the attackers to sign malware that made it appear legitimate; and releasing technical details and indicators of compromise (IoCs) to help organizations and individuals protect their systems against such threats.
How To Protect Your Devices
Given the scale of this attack, users are strongly advised to take proactive steps to secure their systems. These include avoiding illegal streaming sites and unfamiliar online ads, using reputable antivirus and endpoint protection tools, monitoring for unusual outbound connections that may signal data exfiltration, and enabling Multi-Factor Authentication (MFA) to safeguard accounts from credential theft.
You can refer to Microsoft’s full report for a detailed breakdown of the attack stages and the payloads used.
